67.210.170.142

Remote Host Port Number
67.210.170.142 20000 PASS ohai

NICK cbikfo
USER qiyvar “” “xxh” :qiyvar

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}]
+ StubPath = “c:ReCycLErS-1-5-21-1482276501-1663491937-6831267430-1013svchost.exe”

so that svchost.exe runs every time Windows starts

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013svchost.exe
[file and pathname of the sample #1] 59 392 bytes MD5: 0xF6403CFA5349C5EB452AF5E809D55DCE
SHA-1: 0xD91E563412BF5A1B35B3B7137BFC8D9814CC6880 Worm.Win32.Agent.wn [Kaspersky Lab]
W32/Autorun.worm.zzk [McAfee]
Mal/EncPk-MX [Sophos]
Worm:Win32/Hamweq.A [Microsoft]

* The following directory was created:
o c:RECYCLERS-1-5-21-1482276501-1663491937-6831267430-1013

Categories: Uncategorized
Previous post