Remote Host Port Number
129.7.211.61 7537
Resolved : [xdrone.sytes.net] To [129.7.211.61]
NICK carnern
SILENCE +*!*@*,~*!*@*undernet.org,~*!*@*.ro
MODE hanglyb +iwx
NICK harbaughz
USER havoc “” “xdrone.sytes.net” :Who’s Peer & why did he reset my connection?
MODE #drone
NICK :disneyv
MODE harbaughz +i
USER bowker “” “xdrone.sytes.net” :Press any key to continue or any other key to quit…
NICK :hanglyb
MODE carnern +i
MODE carnern +x
MODE carnern +iwx
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvchost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCChannels
o HKEY_CURRENT_USERSoftwaremIRCLicense
o HKEY_CURRENT_USERSoftwaremIRCLockOptions
o HKEY_CURRENT_USERSoftwaremIRC%UserName%
o HKEY_CURRENT_USERSoftwareWinRAR SFX
* Notes:
o %UserName% is a variable that refers to the current user name.
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ spoolsv = “”%Windir%tempspoolsvspoolsv.exe””
so that spoolsv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%tempspoolsvspoolsv.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC%UserName%]
+ (Default) = “WhiteHat”
o [HKEY_CURRENT_USERSoftwaremIRCLockOptions]
+ (Default) = “0,4096”
o [HKEY_CURRENT_USERSoftwaremIRCLicense]
+ (Default) = “5662-546732”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%Windows%temp%spoolsv% = “%Windir%tempspoolsv”
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%Tempspoolsva.reg 1 260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200 Trojan.RunKeys [PCTools]
IRC.Backdoor.Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
Backdoor.IRC.Zapchast [Ikarus]
REG/Zapchast [AhnLab]
2 %Windir%Tempspoolsvaliases.ini 11 bytes MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD
SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299 (not available)
3 %Windir%Tempspoolsvcom.mrc 10 062 bytes MD5: 0x380E6976F68795961D2448027428E628
SHA-1: 0x5924186E0AB4F812E8E80D9F44551BDAB606EA73 (not available)
4 %Windir%Tempspoolsvcontrol.ini 130 bytes MD5: 0x92C90A7CB157BBD431B43558675AC53D
SHA-1: 0x86A2FAEA8E55DA2B14F2E888CE6CCB369C204051 (not available)
5 %Windir%Tempspoolsvfullname.txt 5 992 bytes MD5: 0xBF82B284AAFF12BD2BBB78F079C5050D
SHA-1: 0x5E6A2E3C531CA145D822222CA8F7BD4DF32B252E (not available)
6 %Windir%Tempspoolsvident.txt 9 905 bytes MD5: 0x99632954531389DED5D9F10A9E877BCC
SHA-1: 0xC70086F0F3A458928DAB0AA77069E041A3AA6D5B (not available)
7 %Windir%Tempspoolsvmirc.ico 5 694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7 Backdoor.IRC.Agent [Ikarus]
8 %Windir%Tempspoolsvmirc.ini 3 152 bytes MD5: 0xD5A3CD59FE12B18E67B141E34E32ED22
SHA-1: 0xEA6EA47CCB0C9AF3F3DDC5F02FD8ADAD1E0C838E Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
IRC/Flood.gen.b [McAfee]
Mal/Zapchas-C [Sophos]
Backdoor.IRC.Zapchast [Ikarus]
9 %Windir%Tempspoolsvremote.ini 3 502 bytes MD5: 0x4261905FD66741F5292580CA3B0D557B
SHA-1: 0x8501F4A57AF5D1241DFF5573C3983868A2E80D35 (not available)
10 %Windir%Tempspoolsvrun.bat 194 bytes MD5: 0x08FD9592BFA14C19955FC760BE2BB98A
SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81 Backdoor.IRC.Zapchast [PCTools]
Backdoor.IRC.Flood [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Generic component [McAfee]
Troj/Zapchas-ER [Sophos]
Backdoor.IRC.Zapchast [Ikarus]
BAT/Zapchast [AhnLab]
11 %Windir%Tempspoolsvservers.ini 1 072 bytes MD5: 0x225D576330BAD2DC9150C7F485803DD2
SHA-1: 0x4A4A73494E669793BF7972AD8118C4ED706489AA (not available)
12 %Windir%Tempspoolsvspoolsv.exe 1 790 464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 Backdoor.IRCBot [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
13 %Windir%Tempspoolsvusers.ini 538 bytes MD5: 0xFAC31E696EA2CE14120E32098C823EF3
SHA-1: 0x0CBA2E51E1C8DBDB36CF97C7C0F8F3A9F837A2A3 (not available)
14 %Windir%Tempspoolsvxmas.jpg 124 304 bytes MD5: 0xAE2A93C7E766B4D6A49C4427F110CC32
SHA-1: 0x47E9AEE2BE2295A103B6AC443DC39C02AB30F752 (not available)