.: Shocker Bot 0.1 :.
By ?
::actions
Additional Details
- Coded by: ?
- Version: Shocker Bot 0.1
- Family: Shocker Bot 0.1
- Category: Remote Access
MegaSecurity Notes
dropped file: c:\WINDOWS\system32\recycler.exe size: 45,056 bytes port: 65535 TCP added to registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProductRun" data: 01, 00, 00, 00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List "C:\WINDOWS\System32\recycler.exe" data: C:\WINDOWS\System32\recycler.exe:*:enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List "6667:TCP" data: 6667:TCP:*:Enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\recycler.exe" data: C:\WINDOWS\System32\recycler.exe:*:enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List "6667:TCP" data: 6667:TCP:*:Enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List "C:\WINDOWS\System32\recycler.exe" data: C:\WINDOWS\System32\recycler.exe:*:enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List "6667:TCP" data: 6667:TCP:*:Enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\recycler.exe" data: C:\WINDOWS\System32\recycler.exe:*:enabled:@xpsp2res.dll,-22005 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List "6667:TCP" data: 6667:TCP:*:Enabled:@xpsp2res.dll,-22005 attempts to connect to an IRC Server tested on Windows XP April 01, 2006
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.