ms4all.twoplayers.net – Inside Your Botnet

Remote Host Port Number
112.78.112.208 80
195.2.252.21 80
204.45.118.250 80
204.45.121.50 80
218.85.133.201 80
123.0.41.218 3128
24.63.206.135 3128
62.103.174.192 3128
82.38.141.57 3128
204.45.85.218 57221 PASS laorosr
209.90.137.223 1199

USER SP2-743 * 0 :COMPUTERNAME
MODE #! -ix
MODE #Ma -ix
MODE [N00_USA_XP_7728388]
@ -ix
MODE #dpi -ix

* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://123.0.41.218/+17253.html
o http://cefaery.com/dwmucwryg/eidksa.php?adv=adv600
o http://cefaery.com/dwmucwryg/qhlwelge.php?adv=adv600
o http://cefaery.com/dwmucwryg/ulcnhpaip.php?adv=adv600&code1=KNM0&code2=4104&id=13441600&p=1
o http://cefaery.com/dwmucwryg/xofmysnlgn.php?id=13441600&p=1
o http://cefaery.com/dwmucwryg/xofnlsa.php?adv=adv600
o http://204.45.118.250/__ex
o http://204.45.118.250/__ld
o http://204.45.121.50/mybackup21.rar
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
o http://24.63.206.135/+17253.html
o http://62.103.174.192/+17253.html
o http://82.38.141.57/+17253.html

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC000
o HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC
o HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC000

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC000]
+ Service = “AsyncMac”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “RAS Asynchronous Media Driver”
+ Capabilities = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC000]
+ Service = “AsyncMac”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “RAS Asynchronous Media Driver”
+ Capabilities = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC]
+ NextInstance = 0x00000001

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %CommonAppData%MicrosoftCryptoRSAS-1-5-186d14e4b1d8ca773bab785d1be032546e_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 47 bytes MD5: 0x64BC6B0E1D907AE8ACF27BDB155344C2
SHA-1: 0x7AA0D9AF2D61D73A044F288E16FDD07813C972BA (not available)
2 %AppData%ohydy.exe
[file and pathname of the sample #1] 82 944 bytes MD5: 0xDB6785A8DFAB9EEFFD87A2D1AC4C1825
SHA-1: 0x973B4CDEA43A8CFD1540B4248D7366D70E9582EB Worm.Win32.AutoRun.bntt [Kaspersky Lab]
Troj/Pincav-I [Sophos]
Trojan:Win32/Rimecud.A [Microsoft]
3 %Temp%1138.exe
%Windir%cfdrive32.exe 86 016 bytes MD5: 0x5CCE5D43CD187C397FEAA68019FDA0D3
SHA-1: 0x5FB0F83189196F412FEE82820117FC3CE09654EA (not available)
4 %Temp%36053.exe
c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe 69 632 bytes MD5: 0x6F1229CF9564C74389D3231E72990928
SHA-1: 0x6BA0ED0E792E19A3D9DBB5FC9847FB2E6BE3FE07 Trojan:Win32/Meredrop [Microsoft]
5 %Temp%6219578.exe
c:lsass.exe 25 088 bytes MD5: 0x00E1EF60617FA28C0FF5E83274FA0C03
SHA-1: 0x4422D228A354ECFF0FC80DBC0D9CBF674AB671C6 Suspicious.MH690 [Symantec]
Mal/Zlob-AG [Sophos]
Trojan-Downloader.Agent [Ikarus]
Win-Trojan/Cson3.Gen [AhnLab]
packed with UPX [Kaspersky Lab]
6 %Temp%629.exe 2 172 bytes MD5: 0x2DB236EC4F6C85C93F3F2089B3EE31E7
SHA-1: 0x5BA48A4A2FBED436DA83CB201CC6F3F8DD091404 (not available)
7 %Temp%998935.exe 2 162 bytes MD5: 0x2E174D69715E40C41274F776438F479F
SHA-1: 0x91373F9DBF5E327BF2D27D886B4B20E104C2410B (not available)
8 %Temp%ftvslix.exe 21 504 bytes MD5: 0x2F50AFAFB174303A56E1B4F6E4C6192D
SHA-1: 0xAA0ED5E78AB4E9B78D9CD5E2543028F5B3A5F5B5 Trojan:Win32/Meredrop [Microsoft]
9 c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811Desktop.ini 63 bytes MD5: 0xE783BDD20A976EAEAAE1FF4624487420
SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286 (not available)
10 %System%driversasyncmac.sys.bak 14 336 bytes MD5: 0x02000ABF34AF4C218C35D257024807D6
SHA-1: 0x4BD208ABCAB95B6E14E966EAB395BCDE461B839E packed with PE_Patch [Kaspersky Lab]
11 %System%driversatmarpc.sys.bak 59 904 bytes MD5: 0xEC88DA854AB7D7752EC8BE11A741BB7F
SHA-1: 0x6DF1AA383BA018086A5B15E551003995A44D7696 packed with PE_Patch [Kaspersky Lab]