Remote Host Port Number
208.87.242.18 80
* The data identified by the following URLs was then requested from the remote web server:
o http://208.87.242.18/~remngor/files/depp/web/config.bin
o http://208.87.242.18/~remngor/files/depp/web/gate.php
o http://208.87.242.18/~remngor/files/depp/web/system/ip.php
Registry Modifications
* The following Registry Keys were created:
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7}
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
o HKEY_USERS.DEFAULTSoftwareMicrosoftProtected Storage System Provider
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork]
+ UID = “%ComputerName%_00019AE3”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7}]
+ {23343233-2C66-3B33-3432-343233343233} = F7 0A F5 0E
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
+ {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
+ {33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =
Memory Modifications
* There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
services.exe %System%services.exe 90,112 bytes
lsass.exe %System%lsass.exe 90,112 bytes
svchost.exe %System%svchost.exe 90,112 bytes
svchost.exe %System%svchost.exe 90,112 bytes
svchost.exe %System%svchost.exe 90,112 bytes
svchost.exe %System%svchost.exe 90,112 bytes
svchost.exe %System%svchost.exe 90,112 bytes
alg.exe %System%alg.exe 90,112 bytes
* Attention! The following hidden files were created in the system:
# Filename(s) File Size File Hash
1 %System%lowseclocal.ds 34,938 bytes MD5: 0xA8CE18D12973797B1CB00467CEC20677
SHA-1: 0x7665A61B39C9CEC977F35A4D34FC0207304B34D2
2 %System%lowsecuser.ds 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
* Attention! The following hidden directory was created:
o %System%lowsec
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 62,976 bytes MD5: 0xC4FC1466582AF24AF353E6FF77065087
SHA-1: 0xF34F08EC08D88FB54532E100BF6422CCDA5058CA HeurEngine.MaliciousPacker [PCTools]
Packed.Generic.232 [Symantec]
Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab]
BackDoor-DKI.gen.bf [McAfee]
Mal/Zbot-O [Sophos]
PWS:Win32/Zbot.PG [Microsoft]
Trojan-Spy.Win32.Zbot [Ikarus]
Win-Trojan/Zbot.64000 [AhnLab]
2 %System%sdra64.exe 290,304 bytes MD5: 0x8C22AFA09056B7DC28D60383E629A0E9
SHA-1: 0xE6BF2D16E8EE863D4408FF16A0BF1E7E4AFCD4DA HeurEngine.MaliciousPacker [PCTools]
Packed.Generic.232 [Symantec]
Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab]
BackDoor-DKI.gen.bf [McAfee]
Mal/Zbot-O [Sophos]
PWS:Win32/Zbot.PG [Microsoft]
Trojan-Spy.Win32.Zbot [Ikarus]
Win-Trojan/Zbot.64000 [AhnLab]
infos about hosting:
http://www.dnsstuff.com/tools/whois/?ip=208.87.242.18
http://whois.domaintools.com/208.87.242.18
here is the shell used to control the server from the lamer who use zeus
http://208.87.242.18/~remngor/files/images.php
hosting is allready informed about this but u can do what u want from the shell lol