Behavioral Pattern Analysis: 9630 samples, 52 behavioral profiles

Cluster	Number of samples	Timeline	Target OS	Infection port	Listen ports	Snort IDs	Egg-download ports	Upload ports	Antivirus labels	Processes created	Executables modified	MD5 (packed)	Registry keys	Domain names	FTP chatter	HTTP chatter	IRC chatter	C&C IPs
A	2701		WinXP (100%)	445 (69%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:3000003 (100%) 1:99913 (100%) 1:3000000 (100%) full list	1032 (68%) 1031 (31%)	1032 (68%) 1031 (32%)	korgo (100%) padobot (100%) lsabot (100%)	MSMSGS.EXE (100%) random 5/6/7/8 character filename	ftpupd.exe (100%) random 5/6/7/8 character filename	7d99b0... (46%) 3ae357... (11%) a0139d... (8%) 1fcc14... (5%) 986b59... (5%) diversity: 3.6% full list	...Microsoft\Wireless (100%) full list	adult-empire.com (100%) asechka.ru (100%) citi-bank.ru (100%) color-bank.ru (100%) crutop.nu (100%) kavkaz.ru (100%) full list	-	-	-	-
B	1262		Win2K-f (62%) WinXP (38%)	445 (76%)	44445 (100%) 135 (63%) 500 (63%) 1026 (63%)	1:2000032 (100%) 1:2466 (100%) 1:3000004 (100%) 1:5001684 (100%) 1:2001683 (99%) 1:2000046 (64%) full list	68 (62%)	44445 (100%)	sdbot (100%) rbot (100%) spybot (99%) mybot (97%) sdbo (94%)	MSMSGS.EXE (44%) random 9 character filename	Abort (89%) random 4/17 character filename	7fdfe3... (76%) diversity: 5.6% full list	...CurrentVersion\RunServices (99%) ...Microsoft\OLE (99%) ...InternetSettings\5.0 (55%) ...InternetSettings\Connections (55%) full list	*@celestial.org (96%)	exec=resource32w.exe (100%) server=WinFtpd 1.2 (99%) pass=a (98%) user=a (98%)	-	-	217.170.244.2 (8%) 82.114.64.251 (7%)
C	1117		WinXP (62%) Win2K-f (38%)	445 (70%)	113 (99%) 135 (38%) 1026 (38%) 500 (38%)	1:5001684 (100%) 1:1390 (100%) 1:2001683 (100%) 1:99998 (100%) 1:2001944 (99%) 1:3000006 (98%) full list	445 (98%) 68 (39%) 73 (34%) 74 (27%)	-	vipre (91%) sdbot (88%) sheur (64%) spybot (58%) heur (46%) rbot (45%) full list	MSMSGS.EXE (62%) random 8/9/10 character filename	o (100%)	diversity: 24.9%	...CurrentVersion\RunServices (100%) ...CurrentVersion\Run (37%) ...InternetSettings\5.0 (37%) full list	PAYPAL.COM (100%) de.yahoo.com (100%) nitro.ucsc.edu (100%) paypal.com (100%) reconnect.in (100%) reconnect.in.ms (100%) full list	server=StnyFtpd 0wns j0 (100%) user=1 (100%) pass=1 (100%) exec=updetwind.exe (30%)	-	-	211.233.7.66 (5%) 61.191.228.152 (1%)
D	699		WinXP (100%)	445 (70%)	113 (99%) 3067 (99%)	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:99913 (100%) 1:2001683 (100%) 1:5001684 (100%) full list	1032 (65%) 1031 (35%)	1032 (54%) 1031 (26%)	korgo (100%) padobot (100%) ircbot (71%) sdbot (71%) lsabot (28%)	MSMSGS.EXE (100%) random 5/6/7/8 character filename	ftpupd.exe (100%) random 5/6/7/8 character filename	7f6016... (71%) 042774... (7%) 492957... (5%) diversity: 4.4% full list	...Microsoft\Wireless (100%) full list	brussels.be.eu.undernet.o... (100%) caen.fr.eu.undernet.org (100%) flanders.be.eu.undernet.o... (100%) gaspode.zanet.org.za (100%) graz.at.eu.undernet.org (100%) lia.zanet.net (100%) full list	-	-	-	-
E	356		WinXP (64%) Win2K-f (36%)	139 (52%)	1026 (69%) 135 (68%) 500 (68%)	1:1390 (100%) 1:3000005 (100%) 1:5001684 (100%) 1:99998 (100%) 1:2001683 (62%)	139 (100%) 73 (40%) 68 (38%)	-	rbot (100%) ircbot (71%) spybot (61%) mybot (54%) cakl (44%) muldrop (44%) full list	MSMSGS.EXE (64%) MSNGR32.com (47%) Tilecomfree.com (41%)	-	829e9e... (6%) diversity: 27.5% full list	...CurrentVersion\RunServices (99%) ...Microsoft\OLE (99%) ...ProductName\ProductID (53%) ...Software\ProductName (53%) ...HKEY_CLASSES_ROOT\.key (39%) ...Classes\.key (39%) full list	-	pass=1 (100%) server=fuckFtpd 0wns j0 (100%) user=1 (100%) exec=MSNGR32.com (53%) exec=Tilecomfree.com (41%)	-	-	63.173.172.98 (4%)
F	324		WinXP (100%)	445 (81%)	44445 (93%)	1:2001683 (84%) 1:1390 (50%) 1:2000032 (50%) 1:2000033 (50%) 1:2001944 (50%) 1:2466 (50%) full list	445 (50%) 1033 (40%)	44445 (50%)	behav (98%) dnascan (98%) maximus (98%) nspack (98%) sdbot (97%) klone (96%) full list	MSMSGS.EXE (100%)	index.dat (100%) resource32w.exe (56%) f0dns.exe (43%)	840993... (33%) diversity: 15.6% full list	-	-	user=a (100%) pass=a (100%) exec=resource32w.exe (53%) server=WinFtpd 1.2 (51%) exec=f0dns.exe (41%)	-	-	-
G	297		WinXP (58%) Win2K-f (42%)	445 (61%)	135 (68%) 500 (67%) 1026 (67%)	1:1390 (100%) 1:2001944 (100%) 1:99998 (100%) 1:2001683 (99%) 1:5001684 (99%) 1:3003 (96%) full list	445 (94%) 68 (43%) 73 (29%) 74 (28%)	-	vipre (96%) sheur (93%) sdbot (92%) heur (55%) rbot (38%) behav (36%)	MSMSGS.EXE (57%) random 9 character filename	-	f22e62... (6%) 1fdbd6... (5%) diversity: 27.3% full list	...CurrentVersion\RunServices (99%) ...Microsoft\OLE (99%) ...InternetSettings\5.0 (42%) ...InternetSettings\Connections (42%) full list	clone.ac (100%) clone.ni (100%) clone.pm (100%) com.cm (100%) com.mv (100%) com.net (100%) full list	exec=firstswin.exe (100%) pass=1 (100%) server=NzmxFtpd 0wns j0 (100%) user=1 (100%)	-	-	211.233.7.66 (5%) 61.191.228.152 (1%) 211.169.249.223 (1%)
H	286		Win2K-f (100%)	445 (50%) 139 (22%)	135 (100%) 500 (100%) 1026 (100%) 1027 (100%)	1:3000003 (100%) 1:99913 (100%) 1:5001684 (81%) 1:2466 (69%)	1028 (89%)	1028 (100%)	delbot (100%) ircbot (100%) nirbot (100%) rinbot (100%) sdbot (100%) vanbot (100%) full list	ntvdm.exe (91%)	-	a0a7e8... (49%) cefc8f... (10%) 147d16... (6%) diversity: 2.5% full list	...Microsoft\DownloadManager (100%) ...InternetSettings\5.0 (100%) ...InternetSettings\Connections (100%) full list	-	-	UA=Mozilla/4.0 (compatibl... (100%) version=1.0 (100%) filename=/zmon.exe (87%) full list	-	-
I	279		WinXP (100%)	445 (76%)	80 (100%)	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:5001684 (100%) 1:99913 (100%) full list	1032 (52%) 1031 (46%)	80 (95%)	berbew (100%) padobot (100%) berkor (99%) doxpar (98%) korgo (95%) hangup (95%) full list	MSMSGS.EXE (100%)	ndisrd.sys (100%) DCPROMO.LOG (100%) index.dat (100%) random 6/7/8 character filename	a12cab... (65%) df17a6... (27%) diversity: 2.9% full list	...CurrentVersion\InternetSettings (100%) ...InternetSettings\Zones (100%) ...Windows\CurrentVersion (100%) ...Zones\0 (100%) ...Zones\1 (100%) ...Zones\2 (100%) full list	53bank.com (100%) acrolein-hawk.rubanking.h... (100%) alfabank.ru (100%) asmworm.com (100%) atmacasoft.com (100%) barclays.com (100%) full list	-	-	-	-
J	190		WinXP (100%)	445 (58%)	1028 (78%)	1:1390 (100%) 1:99998 (100%) 1:2001944 (97%) 1:3000006 (97%) 1:3003 (87%) 1:5001684 (74%) full list	445 (97%) 73 (48%)	-	sdbot (100%) vipre (100%) rbot (78%) sheur (56%) spybot (44%) ircbot (22%) full list	MSMSGS.EXE (100%)	index.dat (100%) o (100%)	diversity: 55.6%	-	-	user=1 (100%) pass=1 (99%) server=StnyFtpd 0wns j0 (97%)	-	-	-
K	127		WinXP (60%) Win2K-f (40%)	139 (45%)	135 (65%) 500 (65%) 1026 (65%)	1:5001684 (100%) 1:1390 (89%) 1:99998 (89%) 1:3000005 (84%) 1:2001683 (79%)	139 (89%) 68 (44%) 73 (27%) 74 (27%)	-	rbot (99%) mybot (97%) spybot (89%) gaobot (85%) ircbot (82%) sdbot (73%) full list	MSMSGS.EXE (60%) Tilecomnu.com (39%) random 9 character filename	o (100%)	2a7d99... (6%) diversity: 50.4% full list	...CurrentVersion\RunServices (99%) ...Microsoft\OLE (99%) ...InternetSettings\5.0 (40%) ...InternetSettings\Connections (35%) full list	clone.pm (83%) box.cm (77%) box.mv (77%) box.net (77%) box.ni (77%) box.ps (77%) full list	pass=1 (100%) user=1 (100%) server=fuckFtpd 0wns j0 (83%) exec=Tilecomnu.com (39%)	-	-	63.173.172.98 (3%)
L	113		Win2K-f (100%)	445 (100%)	135 (100%) 500 (100%) 1026 (100%)	1:1390 (100%) 1:2001944 (100%) 1:99998 (100%) 1:3000006 (99%) 1:3003 (87%) 1:5001684 (53%) full list	445 (99%) 68 (52%)	-	-	winamper.exe (67%)	-	diversity: 50.0%	-	-	user=1 (92%) pass=1 (91%) server=StnyFtpd 0wns j0 (79%)	-	-	-
M	107		Win2K-f (100%)	445 (100%)	135 (100%) 500 (100%) 1026 (100%) 44445 (100%)	1:2000032 (100%) 1:2000046 (100%) 1:2466 (100%) 1:3000004 (100%) 1:99906 (100%)	-	44445 (100%)	-	-	-	diversity: N/A	-	-	user=a (100%) pass=a (88%) server=WinFtpd 1.2 (69%) exec=resource32w.exe (56%)	-	-	-
N	94		Win2K-f (63%) WinXP (37%)	445 (48%) 139 (18%)	135 (89%) 500 (89%) 1026 (89%)	1:1390 (100%) 1:2001683 (100%) 1:5001684 (100%) 1:99998 (100%) 1:2001944 (73%) 1:3000006 (73%) full list	445 (73%) 68 (65%) 139 (27%)	-	sdbot (100%) vipre (100%) sheur (62%) behav (61%) rbot (59%) ircbot (45%) full list	MSMSGS.EXE (37%) msupdates.exe (30%)	index.dat (97%) msupdates.exe (43%) wupdate.exe (37%)	7df646... (30%) a3e1e3... (17%) 51be10... (14%) 418432... (6%) 2a8ea0... (5%) diversity: 26.6% full list	...CurrentVersion\RunServices (100%) ...CurrentVersion\Run (67%) ...InternetSettings\5.0 (67%) full list	-	pass=1 (100%) user=1 (100%) server=StnyFtpd 0wns j0 (56%) server=NzmxFtpd 0wns j0 (44%) exec=msupdates.exe (30%)	-	-	-
O	93		WinXP (100%)	445 (69%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) full list	1032 (61%) 1031 (39%)	1032 (61%) 1031 (39%)	korgo (100%) padobot (99%) lsabot (98%) paradrop (22%)	LOGONUI.EXE (100%) MSMSGS.EXE (100%) random 5/6/7/8 character filename	ftpupd.exe (100%) random 5/6/7/8 character filename	7d99b0... (42%) a0139d... (14%) 3ae357... (12%) 1fcc14... (6%) 986b59... (5%) d6df39... (5%) diversity: 19.4% full list	...Microsoft\Wireless (100%) full list	-	-	-	-	-
P	93		WinXP (100%)	445 (60%) 1033 (38%)	1028 (100%)	1:1390 (100%) 1:99998 (100%) 1:2001944 (98%) 1:3000006 (98%) 1:3003 (89%) 1:2001683 (46%) full list	445 (98%) 1033 (39%)	-	ircbot (100%) sdbot (100%) vipre (100%) wootbot (100%) agobot (90%) rbot (90%) full list	MSMSGS.EXE (100%)	index.dat (100%) seegcom.exe (45%) ForBot-NoSSL_out.pr (42%) o (41%)	b018b9... (37%) diversity: 7.7% full list	-	-	pass=a (74%) user=a (74%) exec=seegcom.exe (69%) user=1 (26%)	-	-	-
Q	92		Win2K-f (99%)	445 (72%) 1028 (24%)	135 (100%) 500 (100%) 1026 (100%)	1:1390 (100%) 1:2001944 (100%) 1:3000006 (100%) 1:99998 (100%) 1:2001683 (95%) 1:3003 (94%)	445 (100%) 1028 (96%)	-	sdbot (100%) wootbot (99%) ircbot (95%) agobot (92%) behav (75%) dnascan (75%) full list	f0dns.exe (70%)	-	840993... (63%) b018b9... (18%) diversity: 16.1% full list	...CurrentVersion\RunServices (100%) ...CurrentVersion\Run (100%) full list	-	user=a (100%) pass=a (80%) exec=f0dns.exe (73%) exec=seegcom.exe (25%)	-	-	62.215.157.167 (4%)
R	88		Win2K-f (58%) WinXP (42%)	445 (56%)	1028 (61%) 135 (58%) 500 (58%) 1026 (58%) 1027 (58%) 1032 (42%) full list	1:1390 (82%) 1:99998 (82%) 1:2001944 (71%) 1:3000006 (71%) 1:3003 (67%) 1:2001683 (36%) full list	445 (71%) 68 (25%)	-	-	ftp.exe (100%) MSMSGS.EXE (42%)	index.dat (100%) o (62%) ii (38%)	diversity: 100.0%	-	-	pass=1 (76%) user=1 (76%) server=StnyFtpd 0wns j0 (45%)	-	-	-
S	85		WinXP (100%)	445 (38%) 139 (19%)	1028 (87%)	1:1390 (100%) 1:99998 (100%) 1:5001684 (80%) 1:2001683 (73%) 1:2001944 (67%) 1:3000006 (67%) full list	445 (65%) 73 (45%) 74 (33%) 139 (33%)	-	vipre (92%) ircbot (85%) sdbot (85%) behav (54%) heur (46%) rbot (38%) full list	MSMSGS.EXE (100%)	index.dat (100%) firstswin.exe (47%)	51be10... (7%) diversity: 46.2% full list	-	-	pass=1 (100%) user=1 (100%) server=NzmxFtpd 0wns j0 (59%) exec=firstswin.exe (42%) server=fuckFtpd 0wns j0 (31%)	-	-	-
T	74		Win2K-f (100%)	-	135 (100%) 500 (100%) 1026 (100%) 44445 (100%)	-	-	-	-	-	-	diversity: N/A	-	-	pass=a (100%) user=a (100%) server=WinFtpd 1.2 (94%) exec=resource32w.exe (92%)	-	-	-
U	74		WinXP (66%) Win2K-f (34%)	445 (74%)	113 (100%) 135 (34%) 500 (34%) 1026 (34%)	1:1390 (100%) 1:2001944 (100%) 1:99998 (100%) 1:2001683 (98%) 1:5001684 (98%) 1:3000006 (96%) full list	445 (96%) 73 (49%) 68 (36%)	-	rbot (89%) sdbot (79%) vipre (78%) spybot (73%) ircbot (68%) gaobot (51%) full list	MSMSGS.EXE (66%) random 8/9/10 character filename	o (100%)	fc3e35... (12%) fca931... (11%) 5a5345... (8%) 5b8445... (5%) d6bbb2... (5%) diversity: 53.4% full list	...CurrentVersion\RunServices (100%) ...CurrentVersion\Run (34%) ...InternetSettings\5.0 (34%) full list	-	pass=1 (100%) server=StnyFtpd 0wns j0 (100%) user=1 (100%) exec=windsservc.exe (26%)	-	-	211.233.7.66 (4%) 211.169.249.223 (3%)
V	72		WinXP (100%)	1033 (28%) 1034 (24%) 445 (19%)	9996 (100%) 5554 (62%) 445 (29%)	1:2000047 (100%) 1:2466 (100%) 1:99913 (100%) 1:3000004 (84%) 1:2001056 (73%)	9996 (100%)	9996 (84%)	sasser (100%) corr (92%) jobaka (90%)	MSMSGS.EXE (100%) dwwin.exe (39%) random 7/8 character filename	index.dat (100%) avserve2.exe (62%) random 7/8 character filename	831f4e... (40%) 1a2c0e... (19%) diversity: 10.4% full list	...Reliability\UserDefined (100%) full list	-	user=anonymous (100%) pass=bin (94%) server=OK (87%)	-	-	-
W	64		Win2K-f (100%)	-	135 (100%) 500 (100%) 1026 (100%)	-	-	-	-	-	-	diversity: N/A	-	-	pass=1 (100%) user=1 (100%) server=StnyFtpd 0wns j0 (65%)	-	-	-
X	64		WinXP (100%)	445 (73%)	1033 (37%) 1032 (26%)	1:2001683 (100%) 1:5001684 (100%) 1:2000032 (90%) 1:2000033 (90%) 1:2466 (90%) 1:99913 (90%) full list	1032 (55%) 1031 (33%)	1032 (55%) 1031 (33%)	virut (100%) virutas (89%) vipre (84%) korgo (82%) padobot (75%) horst (74%) full list	MSMSGS.EXE (100%) random 5/6/7/8 character filename	HelpCtr.exe (100%) HelpHost.exe (100%) HelpSvc.exe (100%) NOTEPAD.EXE (100%) UploadM.exe (100%) accwiz.exe (100%) full list	388123... (6%) b37139... (6%) diversity: 73.0% full list	...Microsoft\Wireless (87%) full list	broadway.ny.us.dal.net (35%) brussels.be.eu.undernet.o... (35%) caen.fr.eu.undernet.org (35%) ced.dal.net (35%) coins.dal.net (35%) diemen.nl.eu.undernet.org (35%) full list	pass=1 (90%) server=StnyFtpd 0wns j0 (90%) user=1 (90%) exec=sertys.exe (30%) exec=windervs.exe (30%)	-	-	81.95.146.251 (5%)
Y	62		Win2K-f (100%)	445 (44%) 139 (26%)	135 (100%) 500 (100%) 1026 (100%) 1027 (100%)	1:2001683 (100%) 1:3000003 (100%) 1:5001684 (100%) 1:99913 (100%) 1:2466 (63%)	1028 (100%)	1028 (100%)	aetr (100%) delbot (100%) generic5 (100%) ircbot (100%) nirbot (100%) rinbot (100%) full list	-	-	a7c70c... (65%) 5777cb... (29%) aef2e2... (6%) diversity: 4.8% full list	...Microsoft\DownloadManager (100%) ...InternetSettings\5.0 (100%) ...InternetSettings\Connections (100%) full list	-	-	UA=Mozilla/4.0 (compatibl... (100%) filename=/zmon.exe (100%) version=1.0 (100%) full list	-	-
Z	48		WinXP (100%)	445 (100%)	44445 (69%)	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:99913 (100%) 1:3000004 (69%) 1:2001683 (31%) full list	-	44445 (69%)	-	MSMSGS.EXE (100%)	index.dat (100%) ftpupd.exe (31%)	diversity: N/A	-	-	user=a (100%)	-	-	-
AA	50		Win2K-f (74%) WinXP (26%)	445 (78%)	44445 (100%) 135 (76%) 500 (76%) 1026 (76%)	1:2000032 (100%) 1:2466 (100%) 1:3000004 (100%) 1:2001683 (97%) 1:5001684 (97%) 1:2000046 (74%) full list	68 (56%)	44445 (100%)	kuku (100%) sality (100%) hllp (92%) sdbot (90%) vipre (86%) gaobot (84%) full list	random 9 character filename	system.ini (100%) vcmgcd32.dll (100%)	cbe93b... (12%) f37730... (10%) 5fa3a9... (6%) 75a2c7... (6%) 760bc3... (6%) abccf3... (6%) diversity: 60.0% full list	...CurrentVersion\RunServices (95%) ...Microsoft\OLE (95%) ...InternetSettings\5.0 (74%) ...InternetSettings\Connections (74%) full list	*@celestial.org (91%)	exec=resource32w.exe (100%) pass=a (100%) user=a (98%) server=WinFtpd 1.2 (84%)	-	-	-
AB	46		WinXP (100%)	445 (78%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) full list	1032 (86%)	1032 (86%)	korgo (100%) parite (100%) perite (100%) pinfi (100%) win32_parite_b (98%) lsabot (96%) full list	MSMSGS.EXE (100%) random 5/6/7/8 character filename	ftpupd.exe (100%) random 4/5/6/8 character filename	736531... (57%) 744033... (7%) diversity: 37.0% full list	...Microsoft\Wireless (100%) full list	-	-	-	-	-
AC	46		WinXP (57%) Win2K-f (43%)	445 (28%) 135 (20%) 139 (13%)	135 (67%) 500 (67%) 1026 (67%) 44445 (27%)	1:5001684 (82%) 1:2001683 (57%) 1:1390 (46%) 1:99913 (46%) 1:99998 (46%) 1:2001944 (25%) full list	1034 (32%) 445 (25%) 1028 (25%)	-	sdbot (100%) ircbot (96%) poebot (83%) vanbot (80%) linkbot (78%) agobot (43%) full list	MSMSGS.EXE (62%) random 8 character filename	index.dat (100%)	e0d355... (20%) 04af72... (15%) 1f79d9... (13%) 0a0261... (9%) diversity: 43.5% full list	-	paypal.com (100%)	server=- (100%) pass=1 (72%) user=1 (66%) pass=a (28%) exec=resource32w.exe (25%) user=a (25%)	-	-	67.43.226.210 (4%)
AD	30	-	WinXP (100%)	445 (53%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) full list	1032 (59%) 1031 (41%)	1032 (59%) 1031 (41%)	korgo (100%) virut (100%) vipre (97%) padobot (90%) horst (70%) vetor (50%) full list	MSMSGS.EXE (100%) random 5/6/7/8 character filename	ftpupd.exe (100%) random 5/6/7/8 character filename	999e33... (23%) 589768... (13%) 0faa8c... (10%) 521292... (10%) 6b716e... (7%) 84ba18... (7%) diversity: 46.7% full list	...Microsoft\Wireless (100%) full list	-	-	-	-	-
AE	28	-	WinXP (61%) Win2K-f (39%)	139 (43%)	135 (65%) 500 (65%) 1026 (65%)	1:1390 (100%) 1:3000005 (100%) 1:5001684 (100%) 1:99998 (100%) 1:2001683 (33%)	139 (100%) 68 (50%) 73 (25%) 74 (25%)	-	gaobot (100%) ircbot (100%) mybot (100%) rbot (100%) sdbot (100%) sdbot2 (100%) full list	Tilehome.com (100%) MSMSGS.EXE (61%)	-	0123d3... (11%) 1d9b3a... (11%) 243aa2... (7%) cadc24... (7%) f1256e... (7%) f81454... (7%) diversity: 67.9% full list	...CurrentVersion\RunServices (100%) ...Microsoft\OLE (100%) ...InternetSettings\5.0 (39%) ...InternetSettings\Connections (39%) full list	PAYPAL.COM (100%) Tilehome.com (100%) clone.ac (100%) clone.ni (100%) clone.pm (100%) home.najd.us (100%) full list	exec=Tilehome.com (100%) pass=1 (100%) server=NzmxFtpd 0wns j0 (100%) user=1 (100%)	-	-	63.173.172.98 (7%)
AF	28	-	WinXP (100%)	445 (100%)	1032 (100%) 1028 (29%)	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:99913 (100%) 1:3000003 (89%) 1:3000000 (71%) full list	1032 (71%)	1032 (89%)	-	MSMSGS.EXE (100%)	-	diversity: N/A	-	-	-	-	-	-
AG	28	-	WinXP (68%) Win2K-f (32%)	445 (82%)	1026 (71%) 135 (64%) 500 (64%) 1028 (29%) 6388 (29%)	1:1390 (100%) 1:2001683 (100%) 1:2001944 (100%) 1:3003 (100%) 1:5001684 (100%) 1:99998 (100%) full list	445 (92%) 73 (58%) 68 (29%)	-	sdbot (100%) rbot (70%) spybot (65%) ircbot (60%) dcom (50%) eggdrop (50%) full list	MSMSGS.EXE (68%) random 7/9 character filename	-	6c9335... (32%) 5e25ca... (21%) e15c1e... (7%) diversity: 46.2% full list	...CurrentVersion\RunServices (100%) ...Microsoft\OLE (100%) ...InternetSettings\5.0 (33%) ...InternetSettings\Connections (33%) full list	-	pass=1 (100%) server=NzmxFtpd 0wns j0 (100%) user=1 (100%) exec=firstswin.exe (50%) exec=yfiswin.exe (43%)	-	-	211.233.7.66 (11%)
AH	27	-	Win2K-f (74%) WinXP (26%)	135 (100%)	135 (95%) 500 (91%) 1026 (91%) 69 (32%)	1:1444 (100%) 1:3001441 (100%) 1:99913 (100%)	69 (100%)	1028 (48%) 1027 (30%)	-	MSMSGS.EXE (50%)	index.dat (83%) random 7 character filename	diversity: N/A	...CurrentVersion\RunServices (100%) ...CurrentVersion\Run (60%) ...InternetSettings\5.0 (60%) full list	-	-	-	-	67.43.236.68 (7%)
AI	24	-	Win2K-f (54%) WinXP (46%)	135 (54%) 445 (21%) 139 (12%)	135 (88%) 500 (81%) 1026 (81%)	1:2001684 (100%) 1:99913 (62%) 1:1390 (29%) 1:99998 (29%)	1027 (29%) 1028 (29%)	-	bvpz (100%) delf (100%) eggdrop (100%) generic4 (100%) linkbot (100%) ms06040 (100%) full list	MSMSGS.EXE (46%)	index.dat (100%) o (27%)	2aa59b... (100%) diversity: 4.2% full list	-	-	server=- (75%) pass=1 (58%) user=1 (58%) exec=Tilecomfc.com (25%)	-	-	-
AJ	24	-	Win2K-f (71%) WinXP (29%)	445 (62%)	-	1:2001683 (100%) 1:5001684 (100%) 1:2000032 (94%) 1:2466 (94%) 1:3000004 (81%) 1:2000046 (69%) full list	1028 (75%)	44445 (81%)	bobax (91%) bobic (91%) vipre (65%) baxbo (61%) proxed (57%) mytob (43%) full list	-	-	94f008... (12%) 7c0547... (8%) diversity: 87.5% full list	-	-	server=- (100%) exec=resource32w.exe (94%) pass=a (94%) user=a (89%)	-	-	-
AK	22	-	Win2K-f (50%) WinXP (50%)	445 (45%)	135 (92%) 500 (92%) 1026 (92%)	1:1390 (100%) 1:2001683 (100%) 1:2001944 (100%) 1:3000006 (100%) 1:3003 (100%) 1:5001684 (100%) full list	445 (100%) 74 (60%) 68 (40%)	-	heur (100%) sdbot (100%) themida (100%) vipre (100%)	service.exe (91%) MSMSGS.EXE (50%)	index.dat (100%) o (100%) service.exe (100%)	7e4f94... (59%) 084c60... (18%) 19563a... (9%) diversity: 20.0% full list	-	-	exec=service.exe (100%) pass=1 (100%) server=StnyFtpd 0wns j0 (100%) user=1 (100%)	-	-	-
AL	21	-	WinXP (100%)	445 (71%)	1028 (100%)	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) full list	1032 (87%)	1032 (87%)	korgo (100%) pepatch (100%) resourcer (100%) horst (90%) luder (90%) lsabot (81%) full list	MSMSGS.EXE (100%) dwwin.exe (38%)	ftpupd.exe (100%)	2e9c2f... (19%) 87a78a... (14%) 0313a9... (10%) 561de8... (10%) 76b306... (10%) 923941... (10%) diversity: 57.1% full list	-	-	-	-	-	-
AM	21	-	WinXP (100%)	445 (76%)	-	1:99913 (72%) 1:2000032 (67%) 1:2000033 (67%) 1:2466 (67%) 1:5001684 (67%) 1:2001683 (61%) full list	1032 (44%)	1032 (50%)	korgo (90%) lsabot (90%) padobot (90%)	DfrgFat.exe (100%) MSMSGS.EXE (100%) defrag.exe (100%)	ftpupd.exe (52%) index.dat (52%) random 5 character filename	7d99b0... (29%) diversity: 50.0% full list	...Microsoft\Wireless (89%) full list	-	pass=1 (67%) server=StnyFtpd 0wns j0 (67%) user=1 (67%) exec=windervs.exe (33%) user=a (33%)	-	-	-
AN	20	-	WinXP (100%)	445 (100%)	1031 (100%)	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:99913 (100%) 1:3000000 (75%) 1:2001683 (70%) full list	1031 (75%)	1031 (65%) 80 (30%)	-	MSMSGS.EXE (100%)	-	diversity: 100.0%	-	-	-	-	-	-
AO	17	-	WinXP (94%)	445 (59%)	80 (94%)	1:2001683 (100%) 1:2466 (100%) 1:5001684 (100%) 1:99913 (100%) 1:2000032 (90%) 1:2000033 (90%) full list	1032 (60%) 1031 (30%)	80 (90%)	berbew (93%) berkor (93%) doxpar (93%) hangup (93%) korgo (93%) padobot (93%) full list	MSMSGS.EXE (100%)	DCPROMO.LOG (100%) index.dat (100%) ndisrd.sys (100%) random 6/8 character filename	ada8af... (12%) diversity: 94.1% full list	...InternetSettings\Zones (100%) ...Zones\0 (100%) ...Zones\1 (100%) ...Zones\2 (100%) ...Zones\3 (100%) ...Zones\4 (100%) full list	-	-	-	-	-
AP	17	-	WinXP (100%)	-	1031 (100%)	-	-	-	-	MSMSGS.EXE (100%)	-	diversity: 100.0%	-	-	-	-	-	-
AQ	16	-	WinXP (100%)	445 (100%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) 1:99913 (100%) full list	1031 (50%) 1032 (50%)	1031 (50%) 1032 (50%)	-	MSMSGS.EXE (100%) random 5/8 character filename	ftpupd.exe (100%) random 5/8 character filename	68e270... (19%) diversity: 75.0% full list	...Microsoft\Wireless (100%) full list	-	-	-	-	-
AR	13	-	WinXP (100%)	-	1032 (100%)	-	-	-	-	MSMSGS.EXE (100%)	-	diversity: N/A	-	-	-	-	-	-
AS	12	-	Win2K-f (92%)	139 (100%)	135 (100%) 500 (100%) 1026 (100%) 1027 (36%)	1:1390 (100%) 1:3000005 (100%) 1:99998 (100%) 1:5001684 (58%) 1:2001683 (50%)	139 (100%) 68 (50%)	-	-	-	-	diversity: 100.0%	-	-	pass=1 (100%) user=1 (100%) server=fuckFtpd 0wns j0 (73%) exec=MSNGR32.com (36%)	-	-	-
AT	12	-	WinXP (100%)	445 (75%)	-	1:2000032 (100%) 1:2000033 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000000 (100%) 1:3000003 (100%) full list	1032 (89%)	1032 (89%)	korgo (100%) hckpk (92%) vipre (83%) padobot (75%) dabber (33%) paradrop (25%)	MSMSGS.EXE (100%)	ftpupd.exe (100%)	bc7925... (17%) diversity: 91.7% full list	...Microsoft\Wireless (100%) full list	-	-	-	-	-
AU	10	-	WinXP (100%)	-	44445 (100%)	-	-	-	-	MSMSGS.EXE (100%)	index.dat (100%)	diversity: N/A	-	-	-	-	-	-
AV	11	-	Win2K-f (100%)	445 (82%)	135 (100%) 500 (100%) 1026 (100%) 113 (91%) 69 (45%) 2001 (45%) full list	1:1390 (100%) 1:2001683 (100%) 1:2001944 (100%) 1:5001684 (100%) 1:99998 (100%) 1:3000006 (90%) full list	68 (100%) 445 (89%)	-	sdbot (100%) vipre (100%) rbot (80%) spybot (80%) sheur (60%) dnascan (40%) full list	random 8/9 character filename	-	diversity: 100.0%	...CurrentVersion\Run (100%) ...InternetSettings\5.0 (100%) ...CurrentVersion\RunServices (91%) full list	-	pass=1 (100%) server=StnyFtpd 0wns j0 (100%) user=1 (100%) exec=windervs.exe (36%) exec=windservc.exe (36%)	-	-	211.169.249.223 (18%)
AW	11	-	Win2K-f (55%) WinXP (45%)	445 (45%) 135 (36%)	135 (67%) 500 (67%) 1026 (67%)	1:2001683 (100%) 1:5001684 (100%) 1:99913 (60%) 1:1390 (40%) 1:99998 (40%) 1:2001944 (30%) full list	445 (30%) 1027 (30%) 1028 (30%) 1034 (30%)	-	bbju (100%) injeven (100%) poebot (100%) rizo (100%) pakes (73%) nepoe (45%) full list	MSMSGS.EXE (45%)	index.dat (100%)	fff8b6... (36%) a39875... (27%) ed1295... (18%) diversity: 45.5% full list	...ProductName\ProductID (100%) ...Software\ProductName (100%) full list	-	server=- (100%) pass=1 (67%) user=1 (50%)	-	-	-
AX	11	-	Win2K-f (64%) WinXP (36%)	445 (36%)	1957 (100%) 135 (64%) 500 (64%) 1026 (64%)	1:2000032 (100%) 1:2001683 (100%) 1:2466 (100%) 1:3000004 (100%) 1:5001684 (100%) 1:2000046 (80%) full list	68 (60%)	1957 (100%)	biww (100%) ircbot (100%) mybot (100%) rbot (100%) robobot (100%) spybot (100%) full list	soundman.exe (100%) MSMSGS.EXE (36%)	index.dat (100%) soundman.exe (100%)	5e6690... (27%) 858de5... (27%) 72d12d... (18%) ccbc77... (18%) diversity: 45.5% full list	-	-	exec=soundman.exe (100%) pass=1 (100%) server=StnyFtpd 0wns j0 (100%) user=1 (100%)	-	-	-
AY	10	-	Win2K-f (50%) WinXP (50%)	135 (60%)	1250 (70%) 135 (60%) 500 (50%) 1026 (50%)	1:5001684 (100%) 1:99913 (100%) 1:3000004 (71%)	1028 (71%) 1034 (29%)	43807 (29%) 44152 (29%)	dumaru (100%) ec1d (100%) explet (100%) mudrop (100%) muldrop (100%) multidropper (100%) full list	setupex.exe (70%) MSMSGS.EXE (50%)	a (100%) supu.exe (100%) index.dat (60%) fa4537ef.tmp (40%) fe43e701.htm (40%) feff35a0.htm (40%) full list random 7 character filename	b47155... (80%) diversity: 22.2% full list	...Microsoft\ProtectedStorageSystemProvider (100%) ...Software\SARS (100%) ...InternetSettings\5.0 (71%) ...InternetSettings\Connections (71%) full list	-	exec=supu.exe (100%) pass=p (100%) user=l (100%) destport=1028 (40%)	-	-	-
BA	10	-	WinXP (100%)	-	1032 (60%) 1031 (40%)	-	-	-	-	MSMSGS.EXE (100%)	ftpupd.exe (100%) index.dat (100%)	diversity: N/A	-	-	-	-	-	-