Remote Host Port Number
r0x.botsgod.info 4949
Resolved : [r0x.botsgod.info] To [92.243.28.194]
Resolved : [r0x.botsgod.info] To [217.70.188.30]
Resolved : [r0x.botsgod.info] To [95.142.163.184]
PASS VrX
NICK [USA][XP-SP2]644230
USER VirUs “” “lol” :My_Name_iS_PIG_and_Iam_A_GaY1854
JOIN #r0x# VrX
NICK {NOVA}[USA][XP-SP2]733340
USER VirUs “” “lol” :My_Name_iS_PIG_and_Iam_A_GaY8868
NICK [USA][XP-SP2]350911
USER VirUs “” “lol” :My_Name_iS_PIG_and_Iam_A_GaY0505
* To mark the presence in the system, the following Mutex object was created:
o TrYmEtiKr0xv1.0
* The following port was open in the system:
Port Protocol Process
1036 TCP winupdate.exe (%Temp%winupdate.exe)
* The following Host Names were requested from a host database:
o r0x.botsgod.info
o av.psybnc.cz
o av.shannen.cc
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft iexplorer11 = “%Temp%WinUpdate.exe”
so that WinUpdate.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft iexplorer11 = “%Temp%WinUpdate.exe”
so that WinUpdate.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
WinUpdate.exe %Temp%winupdate.exe 53 248 bytes
[filename of the sample #1] [file and pathname of the sample #1] 184 320 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%explorer_smece22611419.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%WinUpdate.exe
[file and pathname of the sample #1] 70 145 bytes MD5: 0x7991650CC34B1EAFC4D1BCDB99D6A9FD
SHA-1: 0xFAF1C152D59B344797D3D251914D3D33A7C21C37 HeurEngine.MaliciousPacker [PCTools]
Packed.Generic.307 [Symantec]
Trojan:Win32/Ircbrute [Microsoft]
Win-Trojan/Xpack.70145 [AhnLab]
packed with UPX [Kaspersky Lab]