Submission Summary:

What's been foundSeverity Level
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan.RunKeys Trojan.RunKeys installs autorun registry entries for other malware. It is normally bundled with other malware and ensures that they are executed each time Windows starts.
Backdoor.IRCBot Backdoor.IRCBot is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities.

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 [file and pathname of the sample #1] 1,113,334 bytes MD5: 0xBEBEE170834723E4772D2F79D10B9CF0
SHA-1: 0x66FF2EB3656AFDFFED9C809A0867B5047CE826B8
Trojan.mIRC-Based.AM [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
2 %Windir%\Temp\spoolsv\a.reg 1,260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200
Trojan.RunKeys [PCTools]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
3 %Windir%\Temp\spoolsv\aliases.ini 11 bytes MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD
SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299
(not available)
4 %Windir%\Temp\spoolsv\com.mrc 10,251 bytes MD5: 0x4D677B26098655231C880D234D8D6719
SHA-1: 0xA4C7432181EFCC82CE71E9668634BDD7EFAB4BFE
(not available)
5 %Windir%\Temp\spoolsv\control.ini 174 bytes MD5: 0xE74FCF9B0E35952818B103251B5A6FD3
SHA-1: 0xB86B6D37819AEC743D514439EAF4E5A2DCFBFE11
(not available)
6 %Windir%\Temp\spoolsv\fullname.txt 329 bytes MD5: 0xE8FA4DC83F3D617C72DA559DFC8A64B3
SHA-1: 0x6F0126F6802C9DA95D762634EA5E878CFB4E04F4
(not available)
7 %Windir%\Temp\spoolsv\ident.txt 55,687 bytes MD5: 0x530AF9AC85E153593939C82F2F655328
SHA-1: 0x7D36A8CB9B35830E754A5A13C2835C7A4BD93B18
(not available)
8 %Windir%\Temp\spoolsv\mirc.ico 5,694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7
(not available)
9 %Windir%\Temp\spoolsv\mirc.ini 3,292 bytes MD5: 0x37499E68C088783DE1C80234FFEB15A1
SHA-1: 0xD006DC379D030218F74DB9DA3D50B2090CC8015B
IRC/Flood.gen.b [McAfee]
10 %Windir%\Temp\spoolsv\remote.ini 5,109 bytes MD5: 0xB08A6006E929ED4A35D31D58E87D7061
SHA-1: 0x2FD4413FCB4AEC4AA1AA1127A643198ADDD9A198
(not available)
11 %Windir%\Temp\spoolsv\run.bat 194 bytes MD5: 0x08FD9592BFA14C19955FC760BE2BB98A
SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81
Trojan.mIRC-Based.AM [PCTools]
Backdoor.IRC.Flood [Symantec]
Generic component [McAfee]
12 %Windir%\Temp\spoolsv\servers.ini 1,030 bytes MD5: 0xCCD9BAF7710F3E889DF4CCF380C2F4E8
SHA-1: 0xF218FF6811BE6D7EF0B33DA7102E9C14BF9F37F0
(not available)
13 %Windir%\Temp\spoolsv\spoolsv.exe 1,790,464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10
Backdoor.IRCBot [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
14 %Windir%\Temp\spoolsv\users.ini 303 bytes MD5: 0x41CF37BC3319F354E7F17B14A3B88C6A
SHA-1: 0xC81278FE3C7C73F5A21786403EE2082C4DCAA2E4
(not available)
15 %Windir%\Temp\spoolsv\xmas.jpg 264,957 bytes MD5: 0x6C43EC85F11F7F75D936B5DC24C22C68
SHA-1: 0x8E0696A3817ADE6DFB8449234051122D777E6878
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]225,280 bytes

 

Registry Modifications

 

Other details

Russian Federation

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.