Remote Host Port Number
217.23.13.240 6374
NICK n{USA|XP}392156
USER 3921 “” “TsGh” :3921
JOIN #nade2#
PONG :irc.NaDe.gov
* The following port was open in the system:
Port Protocol Process
1053 TCP hidserv.exe (%AppData%hidserv.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%hidserv.exe”
so that hidserv.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%hidserv.exe”
so that hidserv.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
hidserv.exe %AppData%hidserv.exe 57 344 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%hidserv.exe
[file and pathname of the sample #1] 180 224 bytes MD5: 0xE5EFB52FB689514FC8230380ABFFEAD2
SHA-1: 0x158FB3088C185306A57382A581BE75BF8369F90E Trojan-Downloader.Win32.Genome.bbrx [Kaspersky Lab]
Worm.Win32.Arhost [Ikarus]
2 %Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)