Remote Host Port Number
92.241.174.61 6667
NICK {XPUSA345887}
JOIN #hack
PONG irc.hackers.gov
USER COMPUTERNAME * 0 :COMPUTERNAME
MODE {XPUSA345887} +ix
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “servis.exe”
so that servis.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update = “%Temp%service2.exe”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
servis.exe %Temp%servis.exe 356 352 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%servis.exe
[file and pathname of the sample #1] 24 576 bytes MD5: 0xCD7197E90BAAAB74166D468210D162C4
SHA-1: 0xBFD4DE9391DDA67DB5A83FA6B43DD4C127EC3C3D Trojan.IRCBot [PCTools]
W32.IRCBot.Gen [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
Mal/IRCBot-C [Sophos]
Backdoor.Win32.IRCBot [Ikarus]
Win32/IRCBot.worm.Gen [AhnLab]
packed with UPX [Kaspersky Lab]