Remote Host Port Number
x.msnsolution.org 81
Resolved : [x.msnsolution.org] To [93.174.94.87]
Resolved : [x.msnsolution.org] To [93.174.94.86]
Resolved : [x.msnsolution.org] To [222.73.86.59]
NICK n[USA|XP]6061212
USER s “” “lol” :s
JOIN #zenica#
NICK [USA|XP]9153447
NICK [USA|XP]4828111
* The following ports were open in the system:
Port Protocol Process
1034 TCP msdn.exe (%AppData%msdn.exe)
1036 TCP msdn.exe (%AppData%msdn.exe)
1037 TCP msdn.exe (%AppData%msdn.exe)
1038 TCP msdn.exe (%AppData%msdn.exe)
* The following Host Name was requested from a host database:
o x.msnsolution.org
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msdn.exe”
so that msdn.exe runs every time Windows starts
Other details
* To mark the presence in the system, the following Mutex object was created:
o 3d6g7v5x2f4as7
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
msdn.exe %AppData%msdn.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 65 536 bytes
test.exe c:test.exe 65 536 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%msdn.exe
[file and pathname of the sample #1] 94 720 bytes MD5: 0xA25C9BA77D6A1DE04A895BFB340AA3D2
SHA-1: 0x0A1A57BE783C162EBB26EE22EDF2757A97109DD5 (not available)
2 c:test.exe 50 177 bytes MD5: 0xC2F3C0FE2E29FDD1721E18244056A7E2
SHA-1: 0x7EECF44C176CE49B5D341EDA94FD07152C0E1F2F Malware.SillyIM [PCTools]
W32.SillyIM [Symantec]
New Malware.b [McAfee]
Worm:Win32/Pushbot.gen!C [Microsoft]
3 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)