Remote Host Port Number
72.20.16.227 6667
PING irc.rootswitch.net
USER [{NEW}|USA|XP|3015|COMPUTERNAME] True * :Final
NICK [{NEW}|USA|XP|3015|COMPUTERNAME]
JOIN ##MafiaWars## secret_ninja
PONG :You have not registered
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ d-winlogon = “%AppData%winlogond-winlogon.exe”
so that d-winlogon.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%nt.bat 614 bytes MD5: 0xCB02B37D41817C85D15BEAAD347E9CDC
SHA-1: 0x0CF2BE6C5CF748F6E360ADD0F00171F17F1DAE7E (not available)
2 %AppData%winlogond-winlogon.exe
[file and pathname of the sample #1] 159 232 bytes MD5: 0xCD5B880D7FBAB457117CF1E4790DFF98
SHA-1: 0x9AA0EB81E8418F99D3A6F2F0B65E946062701C32 IM-Worm.MSIL.NsMes.m [Kaspersky Lab]
Generic.dx!uiq [McAfee]
Worm:MSIL/Tawsebot.A [Microsoft]
Trojan-PWS.MSIL [Ikarus]
3 %AppData%winlogonhere.txt
%AppData%winlogonz0mg.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
4 %System%log.txt 37 bytes MD5: 0x768165E0ABF16BF3056836D5431A7296
SHA-1: 0x9FB3196BE60E49BFC319EBD9E0B103954D711E34 (not available)