cracker019.dyndns.tv

By Pig, December 29, 2009

cracker019.dyndns.tv:6667

NICK {USA-XP-3917184}
USER {USA-XP-3917184} * 0 :COMPUTERNAME
MODE {USA-XP-3917184} +iR
JOIN #torrent
PRIVMSG #torrent :.4.New Infection!
MODE #torrent +iMm
NICK {USA-XP-5140760}
USER {USA-XP-5140760} * 0 :COMPUTERNAME
MODE {USA-XP-5140760} +iR
NICK {USA-XP-4060724}
USER {USA-XP-4060724} * 0 :COMPUTERNAME
MODE {USA-XP-4060724} +iR

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSN Messanger = “%Windir%System.exe”

so that System.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
System.exe %Windir%System.exe 110 592 bytes
[filename of the sample #1] [file and pathname of the sample #1] 110 592 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%System.exe
[file and pathname of the sample #1] 110 592 bytes MD5: 0x860DCA18056454880346205BA8D7707F
SHA-1: 0x5F477AABD3630A28C0C98AB5E87C1D27CE788D8D
2 %System%DROPPEDFILEOKshoTz.tmp 13 bytes MD5: 0x1B763C43A8B6602DF8155DC46019946A
SHA-1: 0x59DAEAE1B8A49343AC24F6BE41EDDE26A1E518DE

Categories: Uncategorized