Cluster U

74 samples (WinXP (66%)
Win2K-f (34%))

Ports
Infection Listen Egg-download
445 (74%) 113 (100%)
135 (34%)
500 (34%)
1026 (34%) 445 (96%)
73 (49%)
68 (36%)

Filenames
Processes Executables
MSMSGS.EXE (66%)

random 8/9/10
character filename o (100%)

Registry keys
...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (34%)
...InternetSettings\5.0 (34%)
full list

Snort IDs
1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:2001683 (98%)
1:5001684 (98%)
1:3000006 (96%)
full list

Network chatter
FTP C&C
pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
exec=windsservc.exe (26%) 211.233.7.66 (4%)
211.169.249.223 (3%)

Static analysis
MD5 Antivirus labels
fc3e35... (12%)
fca931... (11%)
5a5345... (8%)
5b8445... (5%)
d6bbb2... (5%)
diversity: 53.4%
full list
rbot (89%)
sdbot (79%)
vipre (78%)
spybot (73%)
ircbot (68%)
gaobot (51%)
full list