Remote Host Port Number
67.210.170.142 20000 PASS ohai
NICK pavtkt
USER ugjyyk “” “wfm” :ugjyyk
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}]
+ StubPath = “c:ReCycLErS-1-5-21-1482276501-1663491937-6831267430-1013svchost.exe”
so that svchost.exe runs every time Windows starts
* The following file was modified:
o c:pagefile.sys
* The following directory was created:
o c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013svchost.exe
[file and pathname of the sample #1] 45 568 bytes MD5: 0xCEC2E02AAB0064344159F4C62CA78ACD
SHA-1: 0x93BF179D7F62714519EBB75CC6DB86C46F0E216F Trojan.Generic [PCTools]
Trojan Horse [Symantec]
Worm.Win32.Agent.wm [Kaspersky Lab]
DNSChanger.d [McAfee]
Worm:Win32/Hamweq.A [Microsoft]
Win32/Agent.worm.45568.E [AhnLab]