Cluster G

297 samples (WinXP (58%)
Win2K-f (42%))

Ports
Infection Listen Egg-download
445 (61%) 135 (68%)
500 (67%)
1026 (67%) 445 (94%)
68 (43%)
73 (29%)
74 (28%)

Filenames
Processes
MSMSGS.EXE (57%)

random 9
character filename

Registry keys
...CurrentVersion\RunServices (99%)
...Microsoft\OLE (99%)
...InternetSettings\5.0 (42%)
...InternetSettings\Connections (42%)
full list

Snort IDs
1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:2001683 (99%)
1:5001684 (99%)
1:3003 (96%)
full list

Network chatter
FTP C&C
exec=firstswin.exe (100%)
pass=1 (100%)
server=NzmxFtpd 0wns j0 (100%)
user=1 (100%) 211.233.7.66 (5%)
61.191.228.152 (1%)
211.169.249.223 (1%)

Static analysis
MD5 Antivirus labels Domain
f22e62... (6%)
1fdbd6... (5%)
diversity: 27.3%
full list
vipre (96%)
sheur (93%)
sdbot (92%)
heur (55%)
rbot (38%)
behav (36%) clone.ac (100%)
clone.ni (100%)
clone.pm (100%)
com.cm (100%)
com.mv (100%)
com.net (100%)
full list