Remote Host Port Number
g00000000.inluver.com 47221
Other details
* To mark the presence in the system, the following Mutex object was created:
o fftx81iciiibat
* The following ports were open in the system:
Port Protocol Process
1034 TCP jjdrive32.exe (%Windir%jjdrive32.exe)
1036 TCP jjdrive32.exe (%Windir%jjdrive32.exe)
* The following Host Name was requested from a host database:
o g00000000.inluver.com
Outbound traffic (potentially malicious)
* There was an outbound traffic produced on port 47221:
00000000 | 5041 5353 206C 6574 6D65 696E 0D0A 4E49 | PASS letmein..NI
00000010 | 434B 205B 4E30 305F 5553 415F 5850 5F35 | CK [N00_USA_XP_5
00000020 | 3233 3436 3831 5D18 E740 0D0A 5553 4552 | 234681]..@..USER
00000030 | 2053 5032 2D32 3834 202A 2030 203A 434F | SP2-284 * 0 :CO
00000040 | 4D50 5554 4552 4E41 4D45 0D0A | MPUTERNAME..
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Update Setup = “%Windir%jjdrive32.exe”
so that jjdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Setup = “%Windir%jjdrive32.exe”
so that jjdrive32.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
jjdrive32.exe %Windir%jjdrive32.exe 339 968 bytes
[filename of the sample #1] [file and pathname of the sample #1] 339 968 bytes
Anonymous - May 7, 2010 at 5:38 am
I do like ur article~!!!..................................................
Anonymous - May 7, 2010 at 5:38 am
It's great!!..................................................