Remote Host Port Number
212.175.158.43 6667 PASS lnx
Resolved : [1.sarkievi.net] To [212.175.158.43]
MODE [00|USA|227819] -ix
JOIN #Cd# NhG
NICK [00|USA|227819]
USER XP-7853 * 0 :COMPUTERNAME
Now talking in #Cd#
Topic On: [ #Cd# ] [ .msn.msg Foto 😀 http://to.ly/7Lkw?= ]
Topic By: [ Samuray ]
Other details
* The following port was open in the system:
Port Protocol Process
1052 TCP winupd.exe (%Windir%winupd.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update Manager = “winupd.exe”
so that winupd.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
winupd.exe %Windir%winupd.exe 323 584 bytes
[filename of the sample #1] [file and pathname of the sample #1] 323 584 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winupd.exe 51 242 bytes MD5: 0x404AC8CFD40657B6BCF117B1484E1450
SHA-1: 0x2E53E01FCF69E43CDD0D65D4F6F4841760BAA08E Trojan.Dropper [PCTools]
Trojan.Dropper [Symantec]
Trojan.Win32.Buzus.fuqj [Kaspersky Lab]
Trojan:Win32/Meredrop [Microsoft]
Trojan.Win32.Buzus [Ikarus]