Remote Host Port Number
212.69.208.105 80
94.23.45.70 6667
NICK vrX|na|XP|SP2|00001
JOIN #vncrad# itsinearstoo
MODE #vncrad#
NICK :vrX|na|XP|SP2|00001
PRIVMSG #vncrad# :
Scanning Range
10195.241.0.0
10scan
USER RadXScan “” “94.23.45.70” :RadX
MODE vrX|na|XP|SP2|00001 +i
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS 000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS 000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsass
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsassSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsassEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS 000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS 000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsass
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsassSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsassEnum
o HKEY_USERS.DEFAULTSoftwaremIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwareWinRAR SFX
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS 000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Lsass”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS 000]
+ Service = “Lsass”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Lsass”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LSASS]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsassEnum]
+ 0 = “RootLEGACY_LSASS 000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsassSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLsass]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ DisplayName = “Lsass”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS 000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Lsass”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS 000]
+ Service = “Lsass”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Lsass”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LSASS]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsassEnum]
+ 0 = “RootLEGACY_LSASS 000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsassSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsass]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ DisplayName = “Lsass”
+ ObjectName = “LocalSystem”
o [HKEY_USERS.DEFAULTSoftwaremIRC]
+ (Default) = “1278047899,0”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC]
+ (Default) = “1278048002,0”
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 942 510 bytes MD5: 0x1AE3AB9F3265265E79A1A2B8D3F7F06F
SHA-1: 0x5F92927D746614AD7783725CEB2E797EB181C194 not-a-virus:RiskTool.Win32.PsKill.103, not-a-virus:Client-IRC.Win32.mIRC.617 [Kaspersky Lab]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]