212.95.45.107

Remote Host Port Number
212.95.45.107 6567

NICK {XPUSA661553}
JOIN #kavtodio2
PONG fatalz.net
USER COMPUTERNAME * 0 :COMPUTERNAME
MODE {XPUSA661553} -ix

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “svchots.exe”

so that svchots.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update = “%Temp%svchots.exe”

so that svchots.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
svchots.exe %Temp%svchots.exe 331 776 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%svchots.exe
[file and pathname of the sample #1] 75 895 bytes MD5: 0xDAC35FA239DEC8B389FE9B3DCBB955C1
SHA-1: 0x931C12FE63D25AA13C8CD59426F67A29E5E294BB Trojan.VBInject [PCTools]
Backdoor.IRC.Bot [Symantec]
Backdoor.Win32.Shark.ihv [Kaspersky Lab]
Mal/Generic-L [Sophos]
Trojan:Win32/Ircbrute [Microsoft]
Trojan.Win32.VBKrypt [Ikarus]