Remote Host Port Number
85.234.148.2 17402
Other details
* The following port was open in the system:
Port Protocol Process
1050 TCP lsass.exe (%Windir%systemlsass.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ lsass = “lsass.exe”
so that lsass.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lsass.exe %Windir%systemlsass.exe 380 928 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%systemlsass.exe
[file and pathname of the sample #1] 80 384 bytes MD5: 0xAEAF1BC7032A1D16D04012123474405A
SHA-1: 0x3A5FF63343F0F291550A581896A816EB7690EC11 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
New Malware.b [McAfee]
Mal/Generic-A, Mal/SillyFDC-A, Mal/IRCBot-B [Sophos]
Backdoor:Win32/Gaertob.A [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]