IRC Trojan Horse | Joachim De Zutter
Filesize: 6850034
MD5: 95e060b23a8d5f764744424906d9737c
SHA1: 49c20d884738ffaf885a219c0bfb03e570d9ed82
SHA256: 29484cd99635c6a6e4aa4b42da549dcd4396965be1e79a6b1b55999f50ef015a
Created files 1.reg, 2.reg, 3.reg and "More Free Picture And Videos here!!.bat" under %USERPROFILE%\Local Settings\Temp\ and ifgxtray.exe and igxftray.exe under %WINDIR%\System32\
Filename: 1.reg
Filesize: 412
MD5: 077679f5128027442bd2e80230566594
SHA1: cfb313d6a5df29f0b1a06625b3af6b12fa9cabd7
SHA256: b6224e64b7ff2fb6cc482d7bec2b8747829684a87c9e7866d3822116c85a3287
Contains:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ifgxtray"="C:\\WINDOWS\\system32\\ifgxtray.exe"
"igxftray"="C:\\WINDOWS\\system32\\igxftray.exe"

Filename: 2.reg
Filesize: 880
MD5: 24084d04a423e762c3d6427f78daef8b
SHA1: ca5d955ab3bd64dc21ecb21c2e604f6c401f25c7
SHA256: 3a2bb718b5bc1d6de55a90992253f061b5c5801ff0f6d9d572c1016ee6ffd5d0
Contains:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\wbem\\Repository\\FS\\svchost.exe"="C:\\WINDOWS\\system32\\wbem\\Repository\\FS\\svchost.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\wbem\\mof\\good\\svchost.exe"="C:\\WINDOWS\\system32\\wbem\\mof\\good\\svchost.exe:*:Enabled:mIRC"

Filename: 3.reg
Filesize: 824
MD5: 15946dd6422157209f67c9a771f1c345
SHA1: 5abf45b25301def6d6eb1f56e66208a2d7c6ce41
SHA256: 01f15134569e40120d77ccbbd8ab987829de24a5a5d113e445478cf294a27f26
Contains:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv]
"Application"="wmplayer.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList]
"a"="wmplayer.exe"
"MRUList"="a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithProgids]
@=hex(0):

Filename: More Free Picture And Videos here!!.bat
Filesize: 63
MD5: 58c6fe3a95a55626223f2390ecca31b1
SHA1: e606b4b91f6ffae0f37bf229636d399884ce97a2
SHA256: e32dd66066433b47321fc681d405e2453bbbb59451c15a5b0a78d5432510e128
Contains:
regedit /s 1.reg
regedit /s 2.reg
regedit /s 3.reg

Filename: ifgxtray.exe
Filesize: 1619649
MD5: a12e78fc40c75bb2dc8ad81bafca6e1e
SHA1: d5e41abf090b44a3e57182950f27c8ff92283a11
SHA256: 139cef3125aa2691e510a0f5dbaa34851c23b273e4d009a86038c1df6687c398
Contains the strings "nBinder 5.5.1 Limited" and "This file was created using nBinder 5.5.1. For more info visit www.nkprods.com"

Filename: igxftray.exe
Filesize: 1609492
MD5: 2b15f03ca33d2b096b19e1ddf30f2ebb
SHA1: 2fdf2df5c0607dad998e4c643cb41ab3ee1d748f
SHA256: c7724e1b7f88f111d06c82d8bb842ece420cb2746c49db3e6d7f2489e41a6f80
Contains the strings "nBinder 5.5.1 Limited" and "This file was created using nBinder 5.5.1. For more info visit www.nkprods.com"
Files were created under %WINDIR%\System32\webem\mof\good\ :
Filename: bios.sys 
Filesize: 423849
MD5: 0d5d92d7dda30d020d844cf07fa61060
SHA1: e8e1b159f497e54b1e7141ed9c44d496d1b8ad54
SHA256: fef79afa75af89be929768d2dee27dc408abacbb593bb28f8639d89ce6214213

Filename: dmu.dll
Filesize: 30720
MD5: 62456b6cbdb93b6f1458469d90c57e2c
SHA1: aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9
SHA256: 445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

Filename: dmu.dll.nb5.tmp
Filesize: 13019
MD5: bd3c131e4a5728f7e104416966f76a29
SHA1: 784e7373dee3ae5f644c5d2b382217c0c8d36ad4
SHA256: 29951e0e766c7421efa32f5697c5c7d00485f45ec4a8ab3aa73f3aa6dadf4103

Filename: mirc.ini
Filesize: 4036
MD5: afec545b7fe79aab658361749466ec08
SHA1: e7382303d48bee66afb49cb1b3338770cc251834
SHA256: db339b4e68737e7779c0a0eab9cd4c85aee0c0149f5e10e18587b54224ee14d5

Filename: perform.ini
Filesize: 5457
MD5: 34de6c3062e63d66f16ae9361bcbeee1
SHA1: a8fd2290dcb9e311857a8d4eca48d5bb59eefe8f
SHA256: 0f059a77ed8636f956cf01d9bc9aa0ff8a382c62e0b1444f51b949d8f7f22cb2

Filename: remote.ini
Filesize: 551
MD5: fa02b5e129ca8e5d3de61bf619a01383
SHA1: 97062e766688b54c2578e3fa1e596a508d5fd4cb
SHA256: bff83c960dbba33bf7bf8224d47ee549e3a7bb9d67490c2b33b11427560157a4

Filename: sebe.jpg
Filesize: 143
MD5: 08527d231de09eb16157b1fb20524b5e
SHA1: 04dab7609477b5466ba38784ce2adcbe1fcbaba7
SHA256: 73ceca4fcc29870a87f5f5300721c270d7aff22965c42e7f0594c050fc513e46

Filename: servers.ini
Filesize: 32442
MD5: 74a734014ac0ef8f1d05ad648baa0d41
SHA1: c86ceb665a3e8b74d49a038446967f7575fbd055
SHA256: a0a813314b13e0ea2f470cf848ae895c14ea87d6367def17bc778a6342ea5d77

Filename: svchost.exe
Filesize: 1814528
MD5: 52bea33f212bb42b26787d2f461cc4b1
SHA1: feeea5d4e9acd4a1b57975bc8c632743ac97eca7
SHA256: e53f8e6f4ff052e8408b2b2aed6f4006bfdaf9504024201f0c5001ce6478ff8b

Filename: svchost.exe.nb5.tmp
Filesize: 880070
MD5: 215a7322da65645ed4a80943480dcae1
SHA1: c6d286232b7699510fc3aaed00a4147beebb8f2b
SHA256: 3da355c4b3df2570a84d0770a88f8e9d134f10ec11604fd89ae46e62c6703ea4

Filename: usrlugon.bat
Filesize: 720931
MD5: 94c8b4ee758bf37c05a16936226e912f
SHA1: 7d7af8033a412fa2ded94aeca723a00b97eed33c
SHA256: 72e3849e83c09ada601d3697cfdc2fe80032d7143614d7f39ccf6925d4ab5769

Filename: win.flv
Filesize: 54
MD5: d1c143747c10359071275ec96ffaadae
SHA1: e6c39b72a1c5de0f1621c1b9a22f2e1ddb2afccd
SHA256: 38fa389e38b4ff08681752d660c98e310bfd4a137ea5a13eab7390a9f9733acf

Filename: winlogon.bmp
Filesize: 114045
MD5: 213e297da93efccc27b0a3aca9d1c329
SHA1: a311b29f443af24fc773039536ea593afb800b4b
SHA256: 7aa701d8669643eacad16725d6c5d627082a09e0562949873aa2bde20959c9c0

Filename: winupdate.dll
Filesize: 9325
MD5: 7f01cda3a413a06339a9b44adb4bf21b
SHA1: 521d939a3ac02f0906e49d52292b06c4ea00747c
SHA256: a69bc04af588fa1086bf82283118a69a99e3942312269628cd829c94f05c9654
Files were created under %WINDIR%\System32\webem\mof\good\addon\ :
Filename: config.ico
Filesize: 82726
MD5: 0f68dbfc8584f3c52e8c2e8e93591ff5
SHA1: f6c393c7bbee2df827ab2c82abca5d871b024261
SHA256: 47010a946ccf2dce089cfbde55ea8e614db389d158e741f383361b17c70f4551

Filename: spam.txt
Filesize: 0

Filename: Thumbs.db
Filesize: 3072
MD5: 8a52ab7ec1e842a90f38d8b901a9f6a7
SHA1: 2a8b3eca32759366aa64586b0c69ad3fcc0e64fd
SHA256: 4186e6ee7a928689612ef0c60eedbd0cfa1e472cf6645ecd024ca1a4912e00a7
Files were created under %WINDIR%\System32\webem\Repository\FS\ :
Filename: bios.sys
Filesize: 423849
MD5: 0d5d92d7dda30d020d844cf07fa61060
SHA1: e8e1b159f497e54b1e7141ed9c44d496d1b8ad54
SHA256: fef79afa75af89be929768d2dee27dc408abacbb593bb28f8639d89ce6214213


Filename: dmu.dll
Filesize: 30720
MD5: 62456b6cbdb93b6f1458469d90c57e2c
SHA1: aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9
SHA256: 445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

Filename: dmu.dll.nb5.tmp
Filesize: 13019
MD5: bd3c131e4a5728f7e104416966f76a29
SHA1: 784e7373dee3ae5f644c5d2b382217c0c8d36ad4
SHA256: 29951e0e766c7421efa32f5697c5c7d00485f45ec4a8ab3aa73f3aa6dadf4103

Filename: mirc.ini
Filesize: 4172
MD5: 249445a895ccc65d5946e1fcbadf9c02
SHA1: 09779a82483355ee1578a9cd8809ebaed97bafc3
SHA256: d5380e9ff479188f71dac0a64a03ba7cc93b07ef404bcbfada4b9735bcd5c6cf

Filename: perform.ini
Filesize: 61
MD5: 285b95fd41038ebdab225186203106f2
SHA1: b826bd22549c994ad70f9b1db14fdd3d050c0c19
SHA256: bf356d19ee4b1b8c39c102d36716cadda787d1c35158f12e037a597759c3d8fc

Filename: remote.ini
Filesize: 738
MD5: 342d8fe632c5092d416e415cfecfb4d8
SHA1: c9c8b1588f502d6dee71f8dd0352a4b7ab7d326d
SHA256: 6786c8013f3ed0739fcd9fd98fa71733be465838a03a49df8eb2cc458ee4cf19

Filename: servers.ini
Filesize: 32442
MD5: 74a734014ac0ef8f1d05ad648baa0d41
SHA1: c86ceb665a3e8b74d49a038446967f7575fbd055
SHA256: a0a813314b13e0ea2f470cf848ae895c14ea87d6367def17bc778a6342ea5d77

Filename: svchost.exe
Filesize: 1814528
MD5: 52bea33f212bb42b26787d2f461cc4b1
SHA1: feeea5d4e9acd4a1b57975bc8c632743ac97eca7
SHA256: e53f8e6f4ff052e8408b2b2aed6f4006bfdaf9504024201f0c5001ce6478ff8b

Filename: svchost.exe.nb5.tmp
Filesize: 880070
MD5: 215a7322da65645ed4a80943480dcae1
SHA1: c6d286232b7699510fc3aaed00a4147beebb8f2b
SHA256: 3da355c4b3df2570a84d0770a88f8e9d134f10ec11604fd89ae46e62c6703ea4

Filename: usrlugon.bat
Filesize: 720931
MD5: 94c8b4ee758bf37c05a16936226e912f
SHA1: 7d7af8033a412fa2ded94aeca723a00b97eed33c
SHA256: 72e3849e83c09ada601d3697cfdc2fe80032d7143614d7f39ccf6925d4ab5769

Filename: win.flv
Filesize: 724
MD5: d05bff4031f40e5efe8a9736f710384e
SHA1: 1f266ebfa1ce2b7bba127b7b6459cd8aefdab54b
SHA256: 5f47215d145c99846bbf4ba610c9ac6da5384b556c0558a8db8a9a0f1c1e42b6

Filename: winlogon.bmp
Filesize: 114045
MD5: 213e297da93efccc27b0a3aca9d1c329
SHA1: a311b29f443af24fc773039536ea593afb800b4b
SHA256: 7aa701d8669643eacad16725d6c5d627082a09e0562949873aa2bde20959c9c0

Filename: winupdate.dll
Filesize: 12228
MD5: 17ba8d7fa14a79a77bb1aaeebce06952
SHA1: cb7eca7908de2b70c2bb998f4048b524b2f35584
SHA256: 7eb8b07ab0f57086a675ecbb8350c98255c44128134eaf061ad2f54f32d47d00
mIRC script, contains the strings: "Version 8 Bot By RemyKacax" and "www.nagamerah.com"
Files were created under %WINDIR%\System32\webem\Repository\FS\addon\ :
Filename: borak.txt 
Filesize: 112868
MD5: 19b0523acdf651e15621e15e4bf00dd2
SHA1: 66a6895c296c74ddffd2ac0cbd1d0ae20e40252b
SHA256: 3b9a763b506ea79590c715f6069a79060e88e6509e644fd44949448997be1cfc

Filename: config.ico
Filesize: 82726
MD5: 0f68dbfc8584f3c52e8c2e8e93591ff5
SHA1: f6c393c7bbee2df827ab2c82abca5d871b024261
SHA256: 47010a946ccf2dce089cfbde55ea8e614db389d158e741f383361b17c70f4551

Filename: jawab.txt
Filesize: 122
MD5: 53facf1471eaa16d13c8c4d936ab42ef
SHA1: 2457fd50741bc1c5b9b46f8822e5eecaf85ff70b
SHA256: acf80a5f13bff482359ffac4c93b783a31406bd528790f80cfee75adf6b67309

Filename: query.txt
Filesize: 12929
MD5: b8f4bd8adaea90cc86a54f3c19c34c9f
SHA1: 47d6c9906d0546f30a41f675587d7982f254c28c
SHA256: f3454d57a5376eafb041b73d94417009abf194f25be0b4c45260bc1c3dca5d62

Filename: restart.txt
Filesize: 110
MD5: 03bba33dff58e90363e03a3f92976fa0
SHA1: 0aff87ca878ccf6753b5f39e81aeb18a350d0181
SHA256: d2c609dd43829fe6587ee1186edd870679e9bf817aa07983bc7ff588fa9f309d

Filename: salam.txt
Filesize: 519
MD5: 5623f388e146c62a9f79c415d4cb7b71
SHA1: 9a50e634955a3a26b8af5d6112ad4b02d6544b70
SHA256: c9d00af3be555799fb8c853f87706ef7d097d922c8e060453adc9c60b02a9d2e

Filename: slaps.txt
Filesize: 124
MD5: 83f2aaf00870d2deedf475349e33adda
SHA1: 08d36daaa3ba29439d7f9212c80f16e3fe1f271c
SHA256: e862d98a70b6e8b357abbd1d74c4b9abd587ee2a1f40a45ee9226a6b62139e5a
Connects to IRC servers
Joins IRC channels

https://www.virustotal.com/file/29484cd99635c6a6e4aa4b42da549dcd4396965be1e79a6b1b55999f50ef015a/analysis/