| Pattern | Number of
samples | Target OS | Infection port | Listen ports | Snort IDs | Egg-download
ports | Upload ports | Antivirus labels | Processes created | Executables modified | MD5 (packed) | Registry keys | FTP chatter | HTTP chatter | Domain names |
| JUL-AUGA | 901 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)full list | 445 (98%)
1031 (59%)
1032 (41%) | 1031 (59%)
1032 (41%) | korgo (100%)
padobot (100%)
lsabot (99%) | MSMSGS.EXE (100%)
random 5/6/7/8
character filename | ftpupd.exe (100%)
random 5/6/7/8
character filename | 7d99b0... (45%)
3ae357... (8%)
a0139d... (8%)
d42c1c... (6%)
986b59... (6%)full list | ...Microsoft\Wireless (100%) full list | - | - | - |
| JUL-AUGB | 572 | WinXP (55%)
Win2K-f (45%) | 445 (88%) | 113 (76%)
135 (51%)
500 (51%)
1026 (51%) | 1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (96%)
1:2001944 (90%)
1:3003 (89%)full list | 445 (89%)
68 (44%)
73 (43%) | - | vipre (84%)
sdbot (68%)
sheur (42%)
rbot (38%)
ircbot (37%)
spybot (33%)full list | MSMSGS.EXE (55%)
random 8/9/10
character filename | o (100%) | df2a3e... (9%)
817fcb... (7%)full list | ...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (45%)
...Microsoft\OLE (33%)
...CurrentVersion\Run (30%)full list | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (67%)
exec=windservc.exe (28%) | - | *@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)full list |
| JUL-AUGC | 543 | Win2K-f (100%) | 445 (72%)
139 (27%) | 135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
445 (37%) | 1:3000003 (100%)
1:99913 (100%)
1:5001684 (87%)
1:2466 (73%)
1:2001683 (27%) | 1028 (91%) | 1028 (100%) | ircbot (100%)
sdbot (100%)
delbot (100%)
rinbot (100%)
nirbot (99%)
hupigon (69%)full list | ntvdm.exe (100%) | - | a0a7e8... (39%)
None (21%)
a7c70c... (10%)
5777cb... (10%)
cefc8f... (9%)full list | ...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)full list | - | UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)full list | - |
| JUL-AUGE | 352 | Win2K-f (60%)
WinXP (40%) | 445 (99%) | 44445 (99%)
135 (59%)
500 (59%)
1026 (59%) | 1:2000032 (99%)
1:2466 (99%)
1:3000004 (99%)
1:5001684 (97%)
1:2001683 (96%)
555:5555005 (78%)full list | 68 (57%) | 44445 (98%) | sdbot (99%)
spybot (97%)
rbot (97%)
mybot (92%)
sdbo (90%) | MSMSGS.EXE (44%)
random 9
character filename | index.dat (63%)
resource32w.exe (61%)
Abort (27%)
random 17
character filename | 7fdfe3... (69%)
None (20%)full list | ...CurrentVersion\RunServices (99%)
...Microsoft\OLE (98%)
...InternetSettings\5.0 (65%)
...InternetSettings\Connections (65%)full list | exec=resource32w.exe (99%)
pass=a (98%)
user=a (98%)
server=WinFtpd 1.2 (95%) | - | *@celestial.org (100%) |
| JUL-AUGD | 302 | WinXP (100%) | 445 (100%) | 113 (93%)
3067 (92%) | 1:2000032 (99%)
1:2000033 (99%)
1:2466 (99%)
1:99913 (99%)
1:2001683 (99%)
555:5555005 (97%)full list | 445 (97%)
1031 (58%)
1032 (41%) | 1031 (47%)
1032 (35%) | korgo (99%)
padobot (99%)
ircbot (67%)
sdbot (67%)
lsabot (27%) | MSMSGS.EXE (100%)
random 5/6/7/8
character filename | ftpupd.exe (99%) | 7f6016... (66%)
042774... (6%)full list | ...Microsoft\Wireless (99%) full list | pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%) | - | brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)full list |
| JUL-AUGH | 163 | Win2K-f (99%) | 445 (100%) | 135 (99%)
500 (99%)
1026 (99%)
44445 (98%)
1027 (45%)
1028 (44%) | 1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:2000046 (99%)
1:99906 (99%)
1:5001684 (27%)full list | - | 44445 (98%) | biww (100%)
ircbot (100%)
mybot (100%)
rbot (100%)
robobot (100%)
spybot (100%)full list | ftp.exe (95%) | - | None (98%) | - | user=a (97%)
pass=a (96%)
exec=resource32w.exe (94%)
server=WinFtpd 1.2 (87%)
destport=1028 (54%) | - | - |
| JUL-AUGF | 146 | WinXP (100%) | 445 (80%)
139 (19%) | 1032 (99%)
1033 (90%) | 1:1390 (91%)
1:99998 (91%)
1:2001944 (72%)
1:3000006 (72%)
1:3003 (72%) | 445 (72%) | - | sdbot (100%)
rbot (67%) | MSMSGS.EXE (100%)
ftp.exe (81%) | index.dat (100%)
o (86%) | None (98%) | - | pass=1 (100%)
user=1 (100%)
destport=1033 (88%)
server=StnyFtpd 0wns j0 (73%)
exec=Windows (38%)
destIP=10.2.32.214 (32%) | - | - |
| JUL-AUGG | 114 | WinXP (52%)
Win2K-f (48%) | 445 (100%) | 135 (85%)
500 (85%)
1026 (85%) | 1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:3003 (99%)
1:3000006 (97%)
1:2001683 (94%)full list | 445 (97%)
68 (46%)
73 (44%) | - | sdbot (94%)
rbot (90%)
vipre (90%)
spybot (71%)
dnascan (69%)
mybot (62%)full list | MSMSGS.EXE (69%)
random 10
character filename | o (100%)
index.dat (86%)
windservc.exe (27%) | None (54%)
d40063... (9%)
c4709f... (8%)
fc3e35... (7%)full list | ...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (38%)
...InternetSettings\5.0 (38%)full list | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (95%) | - | - |
| JUL-AUGJ | 106 | WinXP (100%) | 445 (100%) | 80 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:99913 (100%)full list | 1031 (71%)
1032 (29%) | 80 (94%) | berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (95%)
padodor (71%)full list | MSMSGS.EXE (100%) | ndisrd.sys (100%)
DCPROMO.LOG (98%)
index.dat (98%)
random 6/7/8
character filename | a12cab... (69%)
df17a6... (21%)full list | ...CurrentVersion\InternetSettings (100%)
...InternetSettings\Zones (100%)
...Windows\CurrentVersion (100%)
...Zones\0 (100%)
...Zones\1 (100%)
...Zones\2 (100%)full list | - | - | 53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)full list |
| JUL-AUGI | 97 | Win2K-f (100%) | 445 (84%)
139 (16%) | 135 (100%)
500 (100%)
1026 (100%)
1027 (93%)
1028 (93%) | 1:1390 (100%)
1:99998 (100%)
1:2001944 (84%)
1:3000006 (84%)
1:3003 (80%) | 445 (84%) | - | - | ftp.exe (99%) | - | None (99%) | - | user=1 (100%)
pass=1 (99%)
destport=1028 (81%)
server=StnyFtpd 0wns j0 (80%)
destIP=10.2.32.201 (47%)
exec=Windows (39%) | - | - |
| JUL-AUGK | 75 | WinXP (100%) | 445 (96%) | 44445 (90%)
1032 (82%)
1033 (82%) | 1:2000032 (91%)
1:2000033 (91%)
1:2466 (91%)
1:99913 (91%)
1:3000004 (89%) | - | 44445 (88%) | - | MSMSGS.EXE (100%)
ftp.exe (79%) | index.dat (99%)
o (80%) | None (99%) | - | user=a (87%)
destport=1033 (85%)
pass=a (85%)
server=WinFtpd 1.2 (84%)
exec=resource32w.exe (82%)
destIP=10.2.32.214 (31%) | - | - |
| JUL-AUGQ | 50 | WinXP (64%)
Win2K-f (36%) | 445 (88%)
135 (10%) | 135 (40%)
500 (40%)
1026 (40%)
44445 (25%) | 1:5001684 (78%)
1:2001683 (66%)
1:2000032 (52%)
1:2466 (52%)
555:5555005 (52%)
1:99913 (46%)full list | 445 (68%)
1032 (34%)
1028 (30%) | - | sdbot (59%)
linkbot (48%)
rbot (43%)
poebot (37%)
korgo (30%)
lsabot (30%)full list | MSMSGS.EXE (68%)
random 5/6/7/8/9
character filename | ftpupd.exe (50%)
index.dat (43%)
o (29%)
random 8
character filename | 7d99b0... (16%)
2aa59b... (14%)
04af72... (6%)
0a0261... (6%)
7fdfe3... (6%)
97ac56... (6%)full list | ...Microsoft\Wireless (61%)
...CurrentVersion\RunServices (35%)full list | server=- (69%)
pass=1 (59%)
user=1 (44%)
exec=resource32w.exe (38%)
pass=a (38%)
user=a (34%) | - | SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)
..έ..Π..Z..\ΠΡΡΡΡ..ΠΡΡX... (43%)full list |
| JUL-AUGR | 47 | WinXP (60%)
Win2K-f (40%) | 445 (57%)
135 (28%)
139 (11%) | 500 (42%)
1026 (42%) | 1:99913 (100%)
1:5001684 (82%)
1:3000003 (69%)
1:2001683 (60%)
1:2466 (60%)
1:2000032 (56%)full list | 1032 (56%)
445 (49%) | 1032 (53%) | korgo (58%)
padobot (58%)
lsabot (56%)
sdbot (33%)
ircbot (31%)
spybot (31%)full list | MSMSGS.EXE (60%)
ntvdm.exe (38%)
random 5/6/7/8
character filename | ftpupd.exe (92%)
random 5/6/8
character filename | 7d99b0... (23%)
None (19%)
5ddac0... (13%)
259613... (9%)full list | ...Microsoft\Wireless (52%)
...InternetSettings\5.0 (43%)
...InternetSettings\Connections (43%)
...Microsoft\SecurityCenter (26%)
...Microsoft\WindowsFirewall (26%)
...Software\Symantec (26%)full list | - | UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)
sourceIP=194.204.177.59 (29%)full list | .com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)full list |
| JUL-AUGL | 41 | WinXP (95%) | 445 (71%)
1033 (17%)
1034 (12%) | 9996 (92%)
1032 (54%)
1033 (54%)
5554 (28%) | 1:2466 (98%)
1:99913 (93%)
1:2000047 (88%)
1:3000004 (78%)
555:5555005 (32%)
1:2001056 (29%)full list | 9996 (88%)
445 (32%) | 9996 (73%) | jobaka (85%) | MSMSGS.EXE (98%)
ftp.exe (52%)
random 7/8
character filename | index.dat (97%)
cmd.ftp (58%)
avserve2.exe (29%)
random 8
character filename | None (63%)
1a2c0e... (20%)
831f4e... (7%)full list | ...Reliability\UserDefined (50%) full list | user=anonymous (95%)
pass=bin (89%)
server=OK (87%)
destport=1033 (55%) | - | - |
| JUL-AUGM | 35 | WinXP (100%) | 445 (100%) | - | 1:2001683 (100%)
1:5001684 (100%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:99913 (97%)full list | 445 (86%)
1031 (66%)
1032 (31%) | 1031 (66%)
1032 (26%) | korgo (97%)
parite (97%)
pinfi (97%)
lsabot (86%)
padobot (83%)
win32_parite_b (71%)full list | MSMSGS.EXE (100%)
random 5/6/7/8
character filename | ftpupd.exe (97%)
random 4/5/6/7/8
character filename | 736531... (46%)
86d186... (11%)
199fd8... (6%)
2edcd6... (6%)full list | ...Microsoft\Wireless (97%) full list | - | - | - |
| JUL-AUGN | 19 | Win2K-f (100%) | 445 (100%) | 135 (100%)
500 (100%)
1026 (100%) | 1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%) | 445 (100%) | - | - | - | - | None (100%) | - | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (62%)
exec=windservc.exe (25%)
server=NzmxFtpd 0wns j0 (25%) | - | - |
| JUL-AUGO | 17 | WinXP (100%) | 445 (100%) | - | 1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%) | 445 (100%) | - | - | MSMSGS.EXE (100%) | index.dat (94%)
o (82%) | None (94%) | - | - | - | - |
| JUL-AUGP | 15 | WinXP (100%) | 445 (100%) | 1031 (53%)
44445 (47%) | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (53%)
1:5001684 (53%)full list | 1031 (53%) | 44445 (47%) | - | MSMSGS.EXE (100%) | index.dat (100%)
ftpupd.exe (53%) | None (93%) | - | - | - | - |
| JUL-AUGU | 13 | WinXP (54%)
Win2K-f (46%) | 445 (100%) | 113 (50%) | 1:2001683 (100%)
1:5001684 (100%)
1:2000032 (92%)
1:2466 (92%)
1:3000003 (77%)
555:5555005 (77%)full list | 445 (54%)
1028 (38%)
1032 (31%) | 44445 (38%)
1032 (31%) | bobax (83%)
bobic (67%)
vipre (58%)
korgo (50%)
lsabot (50%)
padobot (50%)full list | MSMSGS.EXE (75%) | ftpupd.exe (100%) | 7c0547... (15%) full list | ...Microsoft\Wireless (75%) full list | exec=resource32w.exe (83%)
pass=a (83%)
server=- (83%)
user=a (50%) | - | SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)full list |
| JUL-AUGS | 12 | WinXP (92%) | 445 (100%) | 1031 (92%) | 1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:3000003 (92%)
1:99913 (92%) | - | 1031 (92%) | - | MSMSGS.EXE (92%) | - | None (92%) | - | - | - | - |
| JUL-AUGT | 9 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2001569 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)full list | 445 (100%)
1031 (100%) | 1031 (100%) | - | MSMSGS.EXE (100%) | ftpupd.exe (100%) | None (33%) | ...Microsoft\Wireless (100%) full list | - | - | - |
| JUL-AUGW | 6 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000003 (100%)
1:99913 (100%) | - | 1031 (100%) | - | MSMSGS.EXE (100%) | - | None (100%) | - | - | - | - |
| JUL-AUGV | 6 | WinXP (100%) | 445 (100%) | 1031 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)full list | 1031 (100%) | 1031 (100%) | - | MSMSGS.EXE (100%) | - | None (83%) | - | - | - | - |