By connecting to irc server "warlord.com (75.150.***.***)" which is locate in Washington D.C., Spyware.Inject.76454 waits till receiving hacker's command. Also, it sends packets as bulk via port 445.

[PIC 1] irc server connected (Password & Nick) packet dump


[PIC 2] irc server connected packet list

[PIC 3] irc chatting String


Also, it opens random port for sending SYN packets and does scaning the port 445(SMB) connection in the network.

[PIC 4] 445 Port Scan


Spyware.Inject.76454 registers a service as a name of "netmon" for running "Safe mode, Safe mode(use networking)" on Safe mode system boot.

[PIC 5] Spyware.Inject.76454 which is running even on Safe mode
 

*Related malicious code*
Trojan.Win32.RT-Agent.11656

*Related URL*
http://(...)warlord.com (75.150.***.***)

*Files*
Spyware.Inject.76454 creates files like below.

(Windows Folder)systemnetmon.exe  (Spyware.Inject.76454)
(System Folder)driverssysdrv32.sys (Trojan.Win32.RT-Agent.11656)

*Registry*

Spyware.Inject.76454 creates registry like below.

HKLMSYSTEMControlSet001ControlSafeBootMinimalnetmon
HKLMSYSTEMControlSet001ControlSafeBootNetworknetmon
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Control
HKLMSYSTEMControlSet001Servicessysdrv32
HKLMSYSTEMControlSet001Servicessysdrv32Security
HKLMSYSTEMControlSet001Servicessysdrv32Enum
HKLMSYSTEMCurrentControlSetControlSafeBootMinimalnetmon
HKLMSYSTEMCurrentControlSetControlSafeBootNetworknetmon
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Control
HKLMSYSTEMCurrentControlSetServicessysdrv32
HKLMSYSTEMCurrentControlSetServicessysdrv32Security
HKLMSYSTEMCurrentControlSetServicessysdrv32Enum
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunnetmon: "C:WINDOWSsystemnetmon.exe"
HKLMSYSTEMControlSet001ControlSafeBootMinimalnetmon: "Service"
HKLMSYSTEMControlSet001ControlSafeBootNetworknetmon: "Service"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Control*NewlyCreated*: 0x00000000
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000ControlActiveService: "sysdrv32"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Service: "sysdrv32"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Legacy: 0x00000001
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000ConfigFlags: 0x00000000
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Class: "LegacyDriver"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32000DeviceDesc: "Play Port I/O Driver"
HKLMSYSTEMControlSet001EnumRootLEGACY_SYSDRV32NextInstance: 0x00000001
HKLMSYSTEMControlSet001Servicessysdrv32Enum: "RootLEGACY_SYSDRV32000"
HKLMSYSTEMControlSet001Servicessysdrv32EnumCount: 0x00000001
HKLMSYSTEMControlSet001Servicessysdrv32EnumNextInstance: 0x00000001
HKLMSYSTEMControlSet001Servicessysdrv32SecuritySecurity: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLMSYSTEMControlSet001Servicessysdrv32Type: 0x00000001
HKLMSYSTEMControlSet001Servicessysdrv32Start: 0x00000003
HKLMSYSTEMControlSet001Servicessysdrv32ErrorControl: 0x00000001
HKLMSYSTEMControlSet001Servicessysdrv32ImagePath: "??C:WINDOWSsystem32driverssysdrv32.sys"
HKLMSYSTEMControlSet001Servicessysdrv32DisplayName: "Play Port I/O Driver"
HKLMSYSTEMControlSet001Servicessysdrv32Group: "SST wanport drivers"
HKLMSYSTEMCurrentControlSetControlSafeBootMinimalnetmon: "Service"
HKLMSYSTEMCurrentControlSetControlSafeBootNetworknetmon: "Service"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Control*NewlyCreated*: 0x00000000
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000ControlActiveService: "sysdrv32"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Service: "sysdrv32"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Legacy: 0x00000001
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000ConfigFlags: 0x00000000
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000Class: "LegacyDriver"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32000DeviceDesc: "Play Port I/O Driver"
HKLMSYSTEMCurrentControlSetEnumRootLEGACY_SYSDRV32NextInstance: 0x00000001
HKLMSYSTEMCurrentControlSetServicessysdrv32Enum: "RootLEGACY_SYSDRV32000"
HKLMSYSTEMCurrentControlSetServicessysdrv32EnumCount: 0x00000001
HKLMSYSTEMCurrentControlSetServicessysdrv32EnumNextInstance: 0x00000001
HKLMSYSTEMCurrentControlSetServicessysdrv32SecuritySecurity: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLMSYSTEMCurrentControlSetServicessysdrv32Type: 0x00000001
HKLMSYSTEMCurrentControlSetServicessysdrv32Start: 0x00000003
HKLMSYSTEMCurrentControlSetServicessysdrv32ErrorControl: 0x00000001
HKLMSYSTEMCurrentControlSetServicessysdrv32ImagePath: "??C:WINDOWSsystem32driverssysdrv32.sys"
HKLMSYSTEMCurrentControlSetServicessysdrv32DisplayName: "Play Port I/O Driver"
HKLMSYSTEMCurrentControlSetServicessysdrv32Group: "SST wanport drivers"

*Notation*

"(All Users Account Folder)" could be different by user setting, and generally this is "C:Documents and Settings(All Users Account)".

"(Desktop Folder)" could be different by OS, and generally this is "C:Documents and Settings(User Account)Desktop".

"(Quick Launch Folder)" could be different by OS(or user), and generally this is "C:Documents and Settings(User Account)Application DataMicrosoftInternet ExplorerQuick Launch".

"(Temporary Folder)" could be different by OS, and generally this is "C:Documents and Settings(User Account)Local SettingsTemp".

"(Programs Folder)" could be different by OS, and generally this is "C:Program Files".

"(Windows Folder)" could be different by OS, and generally this is "C:Windows".

"(System Folder)" could be different by OS, and generally this is "C:WindowsSystem32".

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.