Remote Host Port Number
xdcc.h4ck.biz 53381
NICK Uteetor
USER Uteetor Esmyia 127.0.0.1 :Osulus
JOIN #mic#
privmsg #mic# New install..
NICK Alam
USER Alam Erosas 127.0.0.1 :Aserner
NICK Bisolfr
USER Bisolfr Edesim 127.0.0.1 :Frimsed
* The following ports were open in the system:
Port Protocol Process
1033 TCP tcpipx.exe (%Windir%tcpipx.exe)
1034 TCP tcpipx.exe (%Windir%tcpipx.exe)
1035 TCP tcpipx.exe (%Windir%tcpipx.exe)
* The following Host Name was requested from a host database:
o xdcc.h4ck.biz
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ tcpipx = “%Windir%tcpipx.exe”
so that tcpipx.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
tcpipx.exe %Windir%tcpipx.exe 86 016 bytes
[filename of the sample #1] [file and pathname of the sample #1] 110 592 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%tcpipx.exe 110 592 bytes MD5: 0x13BAAAD96A55556A288FEE5EDAF5455D
SHA-1: 0x3DD23DA7C77197764B362E544AD1A9AD480F6809 Trojan.Win32.Buzus.crwb [Kaspersky Lab]
xdcc.h4ck.biz 98.30.190.142
dell-d3e62f7e26 10.1.2.2
* C&C Server: 98.30.190.142:53381
* Server Password:
* Username: Itnerleth
* Nickname: Itnerleth
* Channel: #mic# (Password: )
* Channeltopic:
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “tcpipx” = C:WINDOWStcpipx.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
Enums
File Changes by all processes
New Files C:WINDOWStcpipx.exe
DeviceRasAcd
Opened Files C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
C:WINDOWSSystem32driversetcprotocol
C:WINDOWSSystem32driversetcservices
Deleted Files C:WINDOWStcpipx.exe
Chronological Order Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Delete File: C:WINDOWStcpipx.exe
Copy File: c:update.exe to C:WINDOWStcpipx.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWStcpipx.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSSystem32driversetcprotocol (OPEN_EXISTING)
Open File: C:WINDOWSSystem32driversetcservices (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)