Remote Host Port Number
178.211.53.6 9595 PASS prison
72.233.89.199 80
91.198.22.71 80
PONG leaf.35204.com
NICK {iNF-00-USA-XP-COMP-6996}
USER MEAT * 0 :COMP
JOIN ###mini
NICK {00-USA-XP-COMP-5663}
Now talking in ###mini
Topic On: [ ###mini ] [ .banner ]
Topic By: [ pe[ro ]
Modes On: [ ###mini ] [ +smntu ]
Other details
* The following ports were open in the system:
Port Protocol Process
1051 TCP usbmgr.exe (%Windir%usbmgr.exe)
1053 TCP usbmgr.exe (%Windir%usbmgr.exe)
1054 TCP usbmgr.exe (%Windir%usbmgr.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Universal Serial Bus device = “usbmgr.exe”
so that usbmgr.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
usbmgr.exe %Windir%usbmgr.exe 368 640 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%nigzss.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%usbmgr.exe 294 979 bytes MD5: 0xD573BDC692A4C431B13F1FC53CB1476D
SHA-1: 0x6B02473FEC55C4B9D769A8B4A72A9E66EB0804CC Net-Worm.Win32.Kolab.lsq [Kaspersky Lab]
Generic.dx!und [McAfee]
Backdoor:Win32/IRCbot.gen!K [Microsoft]
Win32/Kolab.worm.294979 [AhnLab]