173.204.76.243

By Pig, May 22, 2010

Remote Host Port Number
173.204.76.243 81

NICK n[USA|XP]0956120
USER s “” “lol” :s
JOIN #newbin#
PONG 422
JOIN #USA (null)

Now talking in #newbin#
Topic On: [ #newbin# ] [ .st ]
Topic By: [ vps ]

* The following port was open in the system:

Port Protocol Process
1057 TCP msng.exe (%AppData%msng.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msng.exe”

so that msng.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
msng.exe %AppData%msng.exe 65 536 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%msng.exe
%Temp%cvn.exe 212 992 bytes MD5: 0xA771B44A5D52B56F546100EF81A7674D
SHA-1: 0x91D2CB25886BC20F1A63A4FA83D38726C5E4B3F4
2 [file and pathname of the sample #1] 167 936 bytes MD5: 0xFFE841946589894711A789804B27B547
SHA-1: 0x8CC40422B6F703193C0DC73A83D08D2CEC96E2F0
3 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709

Categories: Uncategorized
Previous post
Next post