* The following Host Name was requested from a host database:
o irc.malvager.com
* The data identified by the following URLs was then requested from the remote web server:
o http://slayeraeb.angelfire.com/Server.ini
o http://slayeraeb.angelfire.com/AJ.sla
* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %System%MSVBVM60.DLL
NICK SBot79
USER SBot79 SBot79 SBot79 SBot79 SBot79 SBot79
PRIVMSG : Successfully Download!!
JOIN #slayeraeb 199413
PRIVMSG #slayeraeb Online Now!
PRIVMSG slayeraeb Online Now!
C
PRIVMSG slayeraeb : Online!
PRIVMSG #slayeraeb Online!
NICK SBot85
USER SBot85 SBot85 SBot85 SBot85 SBot85 SBot85
NICK SBot16
USER SBot16 SBot16 SBot16 SBot16 SBot16 SBot16
Now talking in #slayeraeb
Topic On: [ #slayeraeb ] [ My new video: http://www.youtube.com/watch?v=a5TF-W4X1Uw ]
Topic By: [ Slayeraeb ]
Modes On: [ #slayeraeb ] [ +pntrk 199413 ]
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ svchosts = “%Temp%svchosts.exe”
so that svchosts.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
svchosts.exe %Temp%svchosts.exe 688 128 bytes
[filename of the sample #1] [file and pathname of the sample #1] 688 128 bytes
* The following system services were modified:
Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash
1 %Temp%svchosts.exe
[file and pathname of the sample #1] 675 840 bytes MD5: 0x3B55A94ECFEAAFC47B90B5E27CCE75FA
SHA-1: 0x852CA8C08A3277E04B327C5C19D758417DA7A004