124.217.229.162

Remote Host Port Number
124.217.229.162 83 PASS letmein

NICK [00-USA-XP-3036431]
USER SP2-ilm * 0 :COMPUTERNAME

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Security
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Enum
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode ApplicationSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode ApplicationEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32Security
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32Enum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode Application
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode ApplicationSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode ApplicationEnum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalWM System Decode Application]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkWM System Decode Application]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “sysdrv32”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000]
+ Service = “sysdrv32”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Play Port I/O Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “WM System Decode Application”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000]
+ Service = “WM System Decode Application”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “WM System Decode Application”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Enum]
+ 0 = “RootLEGACY_SYSDRV32000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Security]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32]
+ Type = 0x00000001
+ Start = 0x00000003
+ ErrorControl = 0x00000001
+ ImagePath = “%System%driverssysdrv32.sys”
+ DisplayName = “Play Port I/O Driver”
+ Group = “SST miniport drivers”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode ApplicationEnum]
+ 0 = “RootLEGACY_WM_SYSTEM_DECODE_APPLICATION000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode ApplicationSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM System Decode Application]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%Windir%systemixdfsx.exe””
+ DisplayName = “WM System Decode Application”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “WM System Decode Application”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWM System Decode Application]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkWM System Decode Application]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “sysdrv32”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000]
+ Service = “sysdrv32”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Play Port I/O Driver”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “WM System Decode Application”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000]
+ Service = “WM System Decode Application”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “WM System Decode Application”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32Enum]
+ 0 = “RootLEGACY_SYSDRV32000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32Security]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessysdrv32]
+ Type = 0x00000001
+ Start = 0x00000003
+ ErrorControl = 0x00000001
+ ImagePath = “%System%driverssysdrv32.sys”
+ DisplayName = “Play Port I/O Driver”
+ Group = “SST miniport drivers”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode ApplicationEnum]
+ 0 = “RootLEGACY_WM_SYSTEM_DECODE_APPLICATION000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode ApplicationSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWM System Decode Application]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%Windir%systemixdfsx.exe””
+ DisplayName = “WM System Decode Application”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “WM System Decode Application”

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
ixdfsx.exe %Windir%systemixdfsx.exe 139 264 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
WM System Decode Application WM System Decode Application “Running” “%Windir%systemixdfsx.exe”

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%systemixdfsx.exe
[file and pathname of the sample #1] 56 320 bytes MD5: 0xF50C4682E3E68AACDA865DE236B95900
SHA-1: 0x76148969E730967921D2AAD7151EAFFF1D88E51E Trojan.Win32.FraudPack.cjaf [Kaspersky Lab]
Trojan:Win32/Ircbrute [Microsoft]
Dropper/Malware.56320.CB [AhnLab]
2 %System%driverssysdrv32.sys 11 656 bytes MD5: 0x0E219B74E2C68A34CA09D8FE114F6D11
SHA-1: 0x153554E644907D1E4E73B0660A7D0C3213691A6B Trojan-Proxy.Agent [PCTools]
Hacktool.Rootkit [Symantec]
Backdoor.Win32.IRCBot.jsm [Kaspersky Lab]
Generic Rootkit.g [McAfee]
W32/Autorun-AMP [Sophos]
HackTool:WinNT/Tcpz.A [Microsoft]
Backdoor.Win32.IRCBot [Ikarus]
Win-Trojan/Rootkit.11656 [AhnLab]
packed with PE_Patch [Kaspersky Lab]

Categories: Uncategorized