unknown.hostforweb.com(hosted with United States Chicago Hostforweb Inc)

Remote Host Port Number
174.37.200.82 80

216.178.39.11 80

63.135.80.224 80

64.211.162.72 80

66.220.158.11 80

64.202.107.109 1234 PASS xxx

NICK NEW-[USA|00|P|50950]
USER XP-8403 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|50950] -ix
JOIN #!nn! test
PONG 22 MOTD

Other details

The following ports were open in the system:
Port Protocol Process
1061 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1062 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1063 TCP nvsvc32.exe (%Windir%nvsvc32.exe)

Registry Modifications

The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts

Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3,137,536 bytes

The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%mdlu.dl 2,256 bytes MD5: 0xF169E48E30B55CDEDD7EFCCA28768EDC
SHA-1: 0x855D6CA7C1B75DC24833D370FF24A9E695A444BA (not available)
2 %Windir%nvsvc32.exe
[file and pathname of the sample #1] 62,464 bytes MD5: 0x79B01A638EE22248D047EE56ABD4FF69
SHA-1: 0xC0516DD578C44890B76D1837C2B3E0EBA089CEBF Malware.Yimfoca [PCTools]
W32.Yimfoca [Symantec]
Trojan.Win32.Jorik.SdBot.fm [Kaspersky Lab]
Generic.dx!uij [McAfee]
Mal/PushBot-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Trojan.Win32.Jorik [Ikarus]
Win-Trojan/Seint.62464.M [AhnLab]
3 %Windir%wintybrd.png 3,416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283 (not available)
4 %Windir%wintybrdf.jpg 3,968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787 (not available)

infos about hoster:
http://whois.domaintools.com/64.202.107.109