74.208.43.209

Remote Host Port Number
74.208.43.209 7000

PONG A89D4707
MODE {XPUSA654841} -ix
JOIN #bots#

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “service2.exe”

so that service2.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update = “%Temp%service2.exe”

so that service2.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
service2.exe %Temp%service2.exe 344 064 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%service2.exe
[file and pathname of the sample #1] 59 392 bytes MD5: 0x4254186BC78FFC2E33D62C27A737EDE7
SHA-1: 0xBCA067C01B24D7FBC1F78F98B611D3343052A928 Backdoor.IRCBot!sd5 [PCTools]
W32.IRCBot.Gen [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
W32/Generic.b.worm [McAfee]
Mal/IRCBot-C [Sophos]
Backdoor:Win32/Gaertob.A [Microsoft]
Backdoor.Win32.IRCBot [Ikarus]
Win32/IRCBot.worm.Gen [AhnLab]

Categories: Uncategorized