server2.net2streams.com(botnet hosted with United States Miami Fdcservers.net)

Remote Host Port Number
112.78.112.208 80
218.85.133.201 80
76.73.99.66 6682 PASS laorosr

MODE #! -ix
MODE #Ma -ix
USER SP2-866 * 0 :COMPUTERNAME
MODE [N00_USA_XP_6447899]
@ -ix
MODE #dpi -ix

Other details

* The following ports were open in the system:

Port Protocol Process
1052 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1054 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2058 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2059 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2060 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2061 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2062 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2063 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2064 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2065 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2066 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2067 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2068 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2069 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2070 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2071 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2072 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2073 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2074 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2075 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2076 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2077 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2078 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2079 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2080 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2081 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2082 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2083 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2084 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2085 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2086 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2087 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2088 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2089 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2090 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2091 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2092 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2093 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2094 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2095 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2096 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2097 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2098 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2099 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2100 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2101 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2102 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2103 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2104 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2105 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2106 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2107 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2108 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2109 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2110 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2111 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2112 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2113 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2114 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2115 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2116 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2117 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2118 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2119 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2120 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2121 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2122 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2123 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2124 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2125 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2126 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2127 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2128 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2129 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2130 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2131 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2132 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2133 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2134 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2135 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2136 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2137 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2138 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2139 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2140 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2141 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2142 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2143 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2144 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2145 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
2146 TCP cwdrive32.exe (%Windir%cwdrive32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cwdrive32.exe”

so that cwdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cwdrive32.exe”

so that cwdrive32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
cwdrive32.exe %Windir%cwdrive32.exe 339,968 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%cwdrive32.exe
[file and pathname of the sample #1] 61,440 bytes MD5: 0xC9C8E1DCF45C8D1B85B465115EF6E5FB
SHA-1: 0x7C49C413893CE76996C1C9ACC19BAF26B9492FCA Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Net-Worm.Win32.Kolab.nih [Kaspersky Lab]
W32/Rimecud.gen.l [McAfee]
Trojan:Win32/Malagent [Microsoft]
Virus.Win32.Injector [Ikarus]
Win-Trojan/Seint.61440.AD [AhnLab]

infos about hoster:
http://whois.domaintools.com/76.73.99.66

Categories: Uncategorized