Remote Host Port Number
82.146.52.236 6667
MODE [solo][USA|XP|LAN|71546] -ix
JOIN #nes# usb
PONG FBI.GoV
* The following port was open in the system:
Port Protocol Process
1050 TCP winsvc32.exe (%Windir%winsvc32.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ winsvc32 = “winsvc32.exe”
so that winsvc32.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
winsvc32.exe %Windir%winsvc32.exe 360 448 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winsvc32.exe 147 456 bytes MD5: 0x06EAEBA7E1D343F14EB528A60BC8AECB
SHA-1: 0xC7FFF55B39E48CA040C008B9EE78811E36689A15 Trojan Horse [Symantec]
Worm.Win32.Carrier.hq [Kaspersky Lab]
Mal/Generic-A [Sophos]
VirTool:Win32/VBInject.gen!CE [Microsoft]
Win32/Carrier.worm.147456.C [AhnLab]