Remote Host Port Number
217.23.13.116 6667
NICK n{USA|XP}338226
USER 4981 “” “TsGh” :4981
PONG :7656ABE7
JOIN #Ganja Monster
PRIVMSG #Ganja :New Infection!
PONG :comegetrocked.servequake.com
Now talking in #Ganja
Topic On: [ #Ganja ] [ Fud Ganja —>http://dl.dropbox.com/u/12206167/Ganja.exe dont bother trying to jack our bots bc we have auth-host and a way to weed you out. you wll be punished ]
Topic By: [ theboss ]
Modes On: [ #Ganja ] [ +pn ]
Quits: {GBR|WN7}116439 [1164@26875CB7.64C30E5D.80B4DFF9.IP] (Ping timeout)
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive Q:
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive P:
Joins: {DEU|WN7}603990 [6039@BE242610.1A18CDC5.9D6673AA.IP
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive Q:
* The following port was open in the system:
Port Protocol Process
1052 TCP taskeng.exe (%AppData%taskeng.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%taskeng.exe”
so that taskeng.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%taskeng.exe”
so that taskeng.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
taskeng.exe %AppData%taskeng.exe 57 344 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%taskeng.exe
[file and pathname of the sample #1] 1 224 704 bytes MD5: 0xE33CB0D0F66EA5527412E88B380D1EBE
SHA-1: 0x7F841B6F9D555B48055768F24C19EB84267DE57A
2 %Temp%google2cache2.tmp
%Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
another dns from that lamer :
mmonster.no-ip.org DNS_TYPE_A 217.23.13.116
the noob use no-ip for bots