Cluster Q

92 samples (Win2K-f (99%))

Ports
Infection Listen Egg-download
445 (72%)
1028 (24%) 135 (100%)
500 (100%)
1026 (100%) 445 (100%)
1028 (96%)

Filenames
Processes
f0dns.exe (70%)

Registry keys
...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (100%)
full list

Snort IDs
1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:99998 (100%)
1:2001683 (95%)
1:3003 (94%)

Network chatter
FTP C&C
user=a (100%)
pass=a (80%)
exec=f0dns.exe (73%)
exec=seegcom.exe (25%) 62.215.157.167 (4%)

Static analysis
MD5 Antivirus labels
840993... (63%)
b018b9... (18%)
diversity: 16.1%
full list
sdbot (100%)
wootbot (99%)
ircbot (95%)
agobot (92%)
behav (75%)
dnascan (75%)
full list