Remote Host Port Number
210.166.223.51 3305 PASS secretpass
NICK P|b2s5zj80q
USER cb5tcxdf2 * 0 :USA|XP|373
USERHOST P|b2s5zj80q
MODE P|b2s5zj80q
JOIN #mm RSA
Other details
* The following ports were open in the system:
Port Protocol Process
69 UDP unwise_.exe (%FontsDir%unwise_.exe)
1052 TCP unwise_.exe (%FontsDir%unwise_.exe)
1138 TCP unwise_.exe (%FontsDir%unwise_.exe)
1139 TCP unwise_.exe (%FontsDir%unwise_.exe)
1140 TCP unwise_.exe (%FontsDir%unwise_.exe)
1141 TCP unwise_.exe (%FontsDir%unwise_.exe)
1142 TCP unwise_.exe (%FontsDir%unwise_.exe)
1143 TCP unwise_.exe (%FontsDir%unwise_.exe)
1144 TCP unwise_.exe (%FontsDir%unwise_.exe)
1145 TCP unwise_.exe (%FontsDir%unwise_.exe)
1146 TCP unwise_.exe (%FontsDir%unwise_.exe)
1147 TCP unwise_.exe (%FontsDir%unwise_.exe)
1148 TCP unwise_.exe (%FontsDir%unwise_.exe)
1149 TCP unwise_.exe (%FontsDir%unwise_.exe)
1150 TCP unwise_.exe (%FontsDir%unwise_.exe)
1151 TCP unwise_.exe (%FontsDir%unwise_.exe)
1152 TCP unwise_.exe (%FontsDir%unwise_.exe)
1155 TCP unwise_.exe (%FontsDir%unwise_.exe)
1156 TCP unwise_.exe (%FontsDir%unwise_.exe)
1157 TCP unwise_.exe (%FontsDir%unwise_.exe)
1158 TCP unwise_.exe (%FontsDir%unwise_.exe)
1159 TCP unwise_.exe (%FontsDir%unwise_.exe)
1169 TCP unwise_.exe (%FontsDir%unwise_.exe)
1170 TCP unwise_.exe (%FontsDir%unwise_.exe)
19791 TCP unwise_.exe (%FontsDir%unwise_.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShell Extensions]
+ intime = “08/21/2010, 10:01 PM”
+ reup = 0x0000006E
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
+ DoNotAllowXPSP2 = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
+ DontReportInfectionInformation = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection]
+ SFCDisable = 0xFFFFFF9D
+ SFCScan = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER 000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER 000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER 000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ MaxConnectionsPer1_0Server = 0x0000FFFE
+ MaxConnectionsPerServer = 0x0000FFFE
+ ProxyEnable = 0x00000000
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
unwise_.exe %FontsDir%unwise_.exe 5 046 272 bytes
* There was a new service created in the system:
Service Name Display Name Status Service Filename
Windows Hosts Controller Windows Hosts Controller “Running” “%FontsDir%unwise_.exe”
* The following system services were modified:
Service Name Display Name New Status Service Filename
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash
1 %FontsDir%unwise_.exe 149 503 bytes MD5: 0x9D6E67975427A2697791C0924FCBFDCF
SHA-1: 0xCC5CE1FE692144A14C5120ABE11B538A8F39EE0F