Resolved : [pop.saherhop.com] To [216.240.158.98]
Remote Host Port Number
216.240.158.98 51115
NICK XP3d2Q55a3E7
NICK XP5n9Z41e1Q5
USER ZoooP “” “pop.saherhop.com” :
14Don`t
14Abuse
14Power
JOIN #USE#
MODE #USE#
NICK XP7w7C12v4T3
PONG :HTTP1.4
Now talking in #USE#
Topic On: [ #USE# ] [ !alls 98.126.49.203 1995 1995 9999 -s ]
Topic By: [ Admin ]
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “m1RC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Temp%iyexit1.tmpspoolvsc.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Temp%iyexit1.tmpspoolvsc.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “m1RC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Temp%iyexit1.tmpspoolvsc.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Temp%iyexit1.tmpspoolvsc.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ msngers = “%Temp%iyexit1.tmpspoolvsc.exe”
so that spoolvsc.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Temp%iyexit1.tmpspoolvsc.exe” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1278965422”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 319 488 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Temp%iyexit1.tmpaliases.ini 483 bytes MD5: 0xFBB49EA65C70DD67E5305D64EE8F721A
SHA-1: 0x29681EDA07F862828973C2B9F57D04F36A1A85D8
2 %Temp%iyexit1.tmpBeclickz.dll 41 584 bytes MD5: 0xD89E457B4678B6C85E1E5E4A6429048E
SHA-1: 0x1A7AA8805EF9C4A77316DC8C83B24B98817FDB3A
3 %Temp%iyexit1.tmpimds.hlp 57 283 bytes MD5: 0x99D0868BFF0944A1E4605555B187F641
SHA-1: 0x145EFACE70D885DFF469131AAE31C27415449038
4 %Temp%iyexit1.tmpionfgs.hlp 29 853 bytes MD5: 0xE6E0FEBFD80522C70985B9382F6587DF
SHA-1: 0xE8231D0107ABB5AFEAE08C49264A75600CBD5383
5 %Temp%iyexit1.tmpirsss.hlp 29 948 bytes MD5: 0x8D498837CB36CF5F3C31660D20E49C80
SHA-1: 0x66597EC2F737893030A0DDA089210BE40DD7C6EF
6 %Temp%iyexit1.tmpmirc.ini 12 147 bytes MD5: 0x9C8A620245552E2F1141B187C2ECAC63
SHA-1: 0x6E951FC590C35358DC713B2E9C7B7295C02AC9B6
7 %Temp%iyexit1.tmpRefix.ocx 35 336 bytes MD5: 0x24D1025BCCF115A021BD9BBF71AF7C09
SHA-1: 0xA9583F0E003F1E70F5C28CE06CED61BB98EDB73C
8 %Temp%iyexit1.tmpspoolvsc.exe 1 656 832 bytes MD5: 0xCF2E393B5FDF63649FA79C553DF2254B
SHA-1: 0xC403BD38D38B3A6F924AA83FDB7CA99E96E9CF9C
9 %Temp%iyexit1.tmpsysingb32.dll 51 bytes MD5: 0x42094EF1A3AA1162D987DAE2DE4ACE86
SHA-1: 0x1FE3C706F6849AD373F9BFE7B670BFF5BA2EDE42
10 %Temp%iyexit1.tmpSystem 614 000 bytes MD5: 0xFE7D5C85CA3868DF6FF4C9163B3B3E46
SHA-1: 0x349F4654A7B15229DF462B10097646BBC6921EFE
11 %Temp%iyexit1.tmpsystemac.dll 29 184 bytes MD5: 0x2DB18780EA5D7FF0D3CF0DE32B844164
SHA-1: 0xD277DB0B9F9374CE19EABA4AA82D4AE8DC5D3B11
12 %Temp%iyexit1.tmpwinregs.ocx 41 670 bytes MD5: 0xA5B45DAEB37DCDD749BFD683AB7037BB
SHA-1: 0x173157FEBD92727EF35FBC764CDC393575FBBAD7
13 [file and pathname of the sample #1] 1 636 846 bytes MD5: 0x495EBD83AF74DAFA3A8A2EF9CE44AA8A
SHA-1: 0x25004C3917C1887C40A9DB3A2B4DC8F519B32782
Anonymous - July 13, 2010 at 3:42 am
Riches serve a wise man but command a fool.............................................................