Remote Host Port Number
204.13.248.70 80
72.233.89.200 80
92.38.226.3 80
92.241.164.101 47221 PASS weed
PRIVMSG {iNF-00-USA-XP-CX
@ :186.5kb downloaded to C:DOCUME~1UserNameLOCALS~1Temptempfile05130.exe (93.3kbps)
QUIT Updating…
NICK {iNF-00-USA-XP-COMP-6189}
USER blaze * 0 :COMP
JOIN #crimbot
NICK {00-USA-XP-COMP-8330}
* The data identified by the following URLs was then requested from the remote web server:
o http://checkip.dyndns.org/
o http://www.whatismyip.com/
o http://lmageshaack.com/esp2.exe
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows USB Automatic Service = “winusbservice.exe”
so that winusbservice.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
tempfile05130.exe %Temp%tempfile05130.exe 475 136 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%tempfile05130.exe 190 976 bytes MD5: 0x33755ED0CD608827B3D888BA5F76ED6B
SHA-1: 0x425FF431D5FC3F4B97159B4059A871AF3D4C669A Malware.Pilleuz [PCTools]
W32.Pilleuz!gen2 [Symantec]
Virus.Win32.DelfInject [Ikarus]
2 %Windir%nigzss.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
3 [file and pathname of the sample #1]
%Windir%winusbservice.exe 62 976 bytes MD5: 0x864916B25A13A3A6B1241E90235928FF
SHA-1: 0x80C417A7DCAA941B17C866798F8F92E8E056DCD3 Malware.Pilleuz [PCTools]
W32.Pilleuz!gen2 [Symantec]
Virus.Win32.DelfInject [Ikarus]
4 c:x.bat 53 bytes MD5: 0xE6ED7BE2B9572503F07663CA6E53759F
SHA-1: 0x7AD80BD38F2A27E06C111B551C76AD0A0585C194 Trojan.IRCBot [PCTools]
W32.IRCBot [Symantec]
Trojan.BAT.KillAV.nd [Kaspersky Lab]
Trojan.BAT.KillAV [Ikarus]