Cluster C

1117 samples (WinXP (62%)
Win2K-f (38%))

Ports
Infection Listen Egg-download
445 (70%) 113 (99%)
135 (38%)
1026 (38%)
500 (38%) 445 (98%)
68 (39%)
73 (34%)
74 (27%)

Filenames
Processes Executables
MSMSGS.EXE (62%)

random 8/9/10
character filename o (100%)

Registry keys
...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (37%)
...InternetSettings\5.0 (37%)
full list

Snort IDs
1:5001684 (100%)
1:1390 (100%)
1:2001683 (100%)
1:99998 (100%)
1:2001944 (99%)
1:3000006 (98%)
full list

Network chatter
FTP C&C
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
pass=1 (100%)
exec=updetwind.exe (30%) 211.233.7.66 (5%)
61.191.228.152 (1%)

Static analysis
MD5 Antivirus labels Domain
diversity: 24.9%
vipre (91%)
sdbot (88%)
sheur (64%)
spybot (58%)
heur (46%)
rbot (45%)
full list
PAYPAL.COM (100%)
de.yahoo.com (100%)
nitro.ucsc.edu (100%)
paypal.com (100%)
reconnect.in (100%)
reconnect.in.ms (100%)
full list