Cluster AA

50 samples (Win2K-f (74%)
WinXP (26%))

Ports
Infection Listen Egg-download Upload
445 (78%) 44445 (100%)
135 (76%)
500 (76%)
1026 (76%) 68 (56%) 44445 (100%)

Filenames
Processes Executables

random 9
character filename system.ini (100%)
vcmgcd32.dll (100%)

Registry keys
...CurrentVersion\RunServices (95%)
...Microsoft\OLE (95%)
...InternetSettings\5.0 (74%)
...InternetSettings\Connections (74%)
full list

Snort IDs
1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:2001683 (97%)
1:5001684 (97%)
1:2000046 (74%)
full list

Network chatter
FTP
exec=resource32w.exe (100%)
pass=a (100%)
user=a (98%)
server=WinFtpd 1.2 (84%)

Static analysis
MD5 Antivirus labels Domain
cbe93b... (12%)
f37730... (10%)
5fa3a9... (6%)
75a2c7... (6%)
760bc3... (6%)
abccf3... (6%)
diversity: 60.0%
full list
kuku (100%)
sality (100%)
hllp (92%)
sdbot (90%)
vipre (86%)
gaobot (84%)
full list
*@celestial.org (91%)