Pattern | Number of samples | Target OS | Infection port | Listen ports | Snort IDs | Egg-download ports | Upload ports | Antivirus labels | Processes created | Executables modified | MD5 (packed) | Registry keys | FTP chatter | HTTP chatter | Domain names |
JUL-AUGA | 834 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)full list | 445 (98%)
1031 (63%)
1032 (37%) | 1031 (63%)
1032 (37%) | korgo (100%)
padobot (100%)
lsabot (99%) | MSMSGS.EXE (100%)
random 5/6/7/8 character filename | ftpupd.exe (100%)
random 5/6/7/8 character filename | 7d99b0... (45%)
3ae357... (8%)
a0139d... (8%)
d42c1c... (7%)
986b59... (6%)full list | ...Microsoft\Wireless (100%) full list | - | - | - |
JUL-AUGC | 543 | Win2K-f (100%) | 445 (72%)
139 (27%) | 135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
445 (37%) | 1:3000003 (100%)
1:99913 (100%)
1:5001684 (87%)
1:2466 (73%)
1:2001683 (27%) | 1028 (91%) | 1028 (100%) | ircbot (100%)
sdbot (100%)
delbot (100%)
rinbot (100%)
nirbot (99%)
hupigon (69%)full list | ntvdm.exe (100%) | - | a0a7e8... (39%)
None (21%)
a7c70c... (10%)
5777cb... (10%)
cefc8f... (9%)full list | ...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)full list | - | UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)full list | - |
JUL-AUGB | 533 | WinXP (56%)
Win2K-f (44%) | 445 (88%)
139 (10%) | 113 (75%)
135 (51%)
500 (51%)
1026 (51%) | 1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (95%)
1:2001944 (89%)
1:3003 (88%)full list | 445 (88%)
73 (47%)
68 (44%) | - | vipre (84%)
sdbot (67%)
sheur (42%)
rbot (38%)
ircbot (37%)
spybot (33%)full list | MSMSGS.EXE (56%)
random 8/9/10 character filename | o (100%) | df2a3e... (9%)
817fcb... (8%)full list | ...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (44%)
...Microsoft\OLE (34%)
...CurrentVersion\Run (29%)full list | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (66%)
exec=windservc.exe (30%) | - | *@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)full list |
JUL-AUGE | 324 | Win2K-f (59%)
WinXP (41%) | 445 (99%) | 44445 (99%)
135 (59%)
500 (59%)
1026 (59%) | 1:2000032 (99%)
1:2466 (99%)
1:3000004 (99%)
1:5001684 (98%)
1:2001683 (96%)
555:5555005 (77%)full list | 68 (57%) | 44445 (98%) | sdbot (99%)
spybot (98%)
rbot (97%)
mybot (92%)
sdbo (90%) | MSMSGS.EXE (44%)
random 9 character filename | index.dat (62%)
resource32w.exe (59%)
Abort (29%)
random 17 character filename | 7fdfe3... (69%)
None (20%)full list | ...CurrentVersion\RunServices (100%)
...Microsoft\OLE (98%)
...InternetSettings\5.0 (65%)
...InternetSettings\Connections (65%)full list | exec=resource32w.exe (99%)
pass=a (98%)
user=a (98%)
server=WinFtpd 1.2 (95%) | - | *@celestial.org (100%) |
JUL-AUGD | 276 | WinXP (100%) | 445 (100%) | 113 (93%)
3067 (92%) | 1:2000032 (99%)
1:2000033 (99%)
1:2466 (99%)
1:99913 (99%)
1:2001683 (99%)
555:5555005 (97%)full list | 445 (97%)
1031 (64%)
1032 (36%) | 1031 (51%)
1032 (30%) | korgo (99%)
padobot (99%)
ircbot (65%)
sdbot (65%)
lsabot (27%) | MSMSGS.EXE (100%)
random 5/6/7/8 character filename | ftpupd.exe (99%) | 7f6016... (65%)
042774... (6%)
32a0d7... (5%)full list | ...Microsoft\Wireless (99%) full list | pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%) | - | brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)full list |
JUL-AUGH | 145 | Win2K-f (99%) | 445 (100%) | 135 (99%)
500 (99%)
1026 (99%)
44445 (98%)
1027 (50%)
1028 (50%) | 1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:2000046 (99%)
1:99906 (99%) | - | 44445 (97%) | biww (100%)
ircbot (100%)
mybot (100%)
rbot (100%)
robobot (100%)
spybot (100%)full list | ftp.exe (95%) | - | None (98%) | - | user=a (97%)
pass=a (96%)
exec=resource32w.exe (95%)
server=WinFtpd 1.2 (88%)
destport=1028 (60%) | - | - |
JUL-AUGF | 140 | WinXP (100%) | 445 (79%)
139 (20%) | 1032 (99%)
1033 (93%) | 1:1390 (94%)
1:99998 (94%)
1:2001944 (74%)
1:3000006 (74%)
1:3003 (74%) | 445 (74%) | - | sdbot (100%)
rbot (67%) | MSMSGS.EXE (100%)
ftp.exe (84%) | index.dat (100%)
o (86%) | None (98%) | - | pass=1 (100%)
user=1 (100%)
destport=1033 (88%)
server=StnyFtpd 0wns j0 (73%)
exec=Windows (38%)
destIP=10.2.32.214 (32%) | - | - |
JUL-AUGG | 113 | WinXP (51%)
Win2K-f (49%) | 445 (100%) | 135 (86%)
500 (86%)
1026 (86%) | 1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:3003 (99%)
1:3000006 (97%)
1:2001683 (94%)full list | 445 (97%)
68 (47%)
73 (44%) | - | sdbot (94%)
rbot (90%)
vipre (90%)
spybot (71%)
dnascan (69%)
mybot (62%)full list | MSMSGS.EXE (68%)
random 10 character filename | o (100%)
index.dat (88%)
windservc.exe (28%) | None (54%)
d40063... (9%)
c4709f... (8%)
fc3e35... (7%)full list | ...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (42%)
...InternetSettings\5.0 (42%)full list | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (95%) | - | - |
JUL-AUGJ | 101 | WinXP (100%) | 445 (100%) | 80 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:99913 (100%)full list | 1031 (74%)
1032 (26%) | 80 (94%) | berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (95%)
padodor (70%)full list | MSMSGS.EXE (100%) | ndisrd.sys (100%)
DCPROMO.LOG (98%)
index.dat (98%)
random 6/7/8 character filename | a12cab... (68%)
df17a6... (21%)full list | ...CurrentVersion\InternetSettings (100%)
...InternetSettings\Zones (100%)
...Windows\CurrentVersion (100%)
...Zones\0 (100%)
...Zones\1 (100%)
...Zones\2 (100%)full list | - | - | 53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)full list |
JUL-AUGI | 96 | Win2K-f (100%) | 445 (84%)
139 (16%) | 135 (100%)
500 (100%)
1026 (100%)
1027 (94%)
1028 (94%) | 1:1390 (100%)
1:99998 (100%)
1:2001944 (84%)
1:3000006 (84%)
1:3003 (81%) | 445 (84%) | - | - | ftp.exe (100%) | - | None (100%) | - | user=1 (100%)
pass=1 (99%)
destport=1028 (82%)
server=StnyFtpd 0wns j0 (80%)
destIP=10.2.32.201 (48%)
exec=Windows (39%) | - | - |
JUL-AUGK | 73 | WinXP (100%) | 445 (96%) | 44445 (90%)
1032 (83%)
1033 (83%) | 1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:99913 (92%)
1:3000004 (90%) | - | 44445 (89%) | - | MSMSGS.EXE (100%)
ftp.exe (81%) | index.dat (99%)
o (81%) | None (99%) | - | user=a (88%)
destport=1033 (86%)
pass=a (86%)
server=WinFtpd 1.2 (85%)
exec=resource32w.exe (83%)
destIP=10.2.32.214 (32%) | - | - |
JUL-AUGR | 40 | WinXP (52%)
Win2K-f (48%) | 445 (50%)
135 (32%)
139 (12%) | 500 (49%)
1026 (49%) | 1:99913 (100%)
1:5001684 (79%)
1:3000003 (63%)
1:2001683 (53%)
1:2466 (53%)
1:2000032 (47%)full list | 1032 (47%)
445 (42%)
1027 (29%) | 1032 (45%) | korgo (52%)
padobot (52%)
lsabot (48%)
sdbot (35%)
spybot (35%)
ircbot (32%)full list | MSMSGS.EXE (52%)
ntvdm.exe (45%)
random 5/6/7/8 character filename | ftpupd.exe (89%)
random 5/6/8 character filename | 7d99b0... (22%)
None (22%)
5ddac0... (15%)
259613... (10%)
d6df39... (5%)full list | ...InternetSettings\5.0 (50%)
...InternetSettings\Connections (50%)
...Microsoft\Wireless (44%)
...Microsoft\SecurityCenter (31%)
...Microsoft\WindowsFirewall (31%)
...Software\Symantec (31%)full list | - | UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)
sourceIP=194.204.177.59 (29%)full list | .com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)full list |
JUL-AUGQ | 37 | WinXP (57%)
Win2K-f (43%) | 445 (92%) | 135 (52%)
500 (52%)
1026 (52%)
44445 (31%)
69 (28%) | 1:5001684 (76%)
1:2001683 (62%)
1:2000032 (49%)
1:2466 (49%)
555:5555005 (49%)
1:1390 (46%)full list | 445 (70%)
1028 (35%) | 44445 (27%) | sdbot (67%)
linkbot (56%)
rbot (47%)
poebot (42%)
ircbot (36%)
possiblethreat (31%)full list | MSMSGS.EXE (60%)
random 6/8/9 character filename | index.dat (50%)
ftpupd.exe (40%)
o (40%) | 2aa59b... (14%)
7d99b0... (14%)
04af72... (8%)
0a0261... (8%)
97ac56... (8%)
6f4858... (5%)full list | ...Microsoft\Wireless (62%)
...CurrentVersion\RunServices (38%)full list | server=- (78%)
pass=1 (63%)
user=1 (44%)
exec=resource32w.exe (37%)
pass=a (37%)
user=a (33%) | - | SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)
..έ..Π..Z..\ΠΡΡΡΡ..ΠΡΡX... (43%)full list |
JUL-AUGL | 37 | WinXP (100%) | 445 (70%)
1033 (19%)
1034 (11%) | 9996 (97%)
1032 (60%)
1033 (60%)
5554 (29%)
445 (26%) | 1:2466 (97%)
1:99913 (97%)
1:2000047 (92%)
1:3000004 (76%)
1:2001056 (30%)
1:2001569 (30%)full list | 9996 (92%)
445 (32%) | 9996 (76%) | jobaka (83%) | MSMSGS.EXE (100%)
ftp.exe (57%)
random 7/8 character filename | index.dat (97%)
cmd.ftp (61%)
avserve2.exe (28%)
random 8 character filename | None (65%)
1a2c0e... (19%)
831f4e... (8%)full list | - | user=anonymous (97%)
pass=bin (94%)
server=OK (91%)
destport=1033 (60%) | - | - |
JUL-AUGM | 33 | WinXP (100%) | 445 (100%) | - | 1:2001683 (100%)
1:5001684 (100%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:99913 (97%)full list | 445 (85%)
1031 (70%)
1032 (27%) | 1031 (70%) | korgo (97%)
parite (97%)
pinfi (97%)
lsabot (85%)
padobot (82%)
win32_parite_b (70%)full list | MSMSGS.EXE (100%)
random 5/6/7/8 character filename | ftpupd.exe (97%)
random 4/5/6/7/8 character filename | 736531... (45%)
86d186... (12%)
199fd8... (6%)
2edcd6... (6%)full list | ...Microsoft\Wireless (97%) full list | - | - | - |
JUL-AUGN | 19 | Win2K-f (100%) | 445 (100%) | 135 (100%)
500 (100%)
1026 (100%) | 1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%) | 445 (100%) | - | - | - | - | None (100%) | - | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (62%)
exec=windservc.exe (25%)
server=NzmxFtpd 0wns j0 (25%) | - | - |
JUL-AUGO | 17 | WinXP (100%) | 445 (100%) | - | 1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%) | 445 (100%) | - | - | MSMSGS.EXE (100%) | index.dat (94%)
o (82%) | None (94%) | - | - | - | - |
JUL-AUGP | 15 | WinXP (100%) | 445 (100%) | 1031 (53%)
44445 (47%) | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (53%)
1:5001684 (53%)full list | 1031 (53%) | 44445 (47%) | - | MSMSGS.EXE (100%) | index.dat (100%)
ftpupd.exe (53%) | None (93%) | - | - | - | - |
JUL-AUGS | 12 | WinXP (92%) | 445 (100%) | 1031 (92%) | 1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:3000003 (92%)
1:99913 (92%) | - | 1031 (92%) | - | MSMSGS.EXE (92%) | - | None (92%) | - | - | - | - |
JUL-AUGU | 11 | WinXP (55%)
Win2K-f (45%) | 445 (100%) | - | 1:2000032 (100%)
1:2001683 (100%)
1:2466 (100%)
1:5001684 (100%)
1:3000003 (82%)
555:5555005 (82%)full list | 445 (45%)
1028 (45%)
80 (27%)
1031 (27%)
1032 (27%) | 44445 (45%)
80 (27%)
1031 (27%)
1032 (27%) | bobax (100%)
bobic (80%)
vipre (60%)
korgo (50%)
lsabot (50%)
padobot (50%)full list | MSMSGS.EXE (100%) | ftpupd.exe (100%) | 7c0547... (18%) full list | ...Microsoft\Wireless (100%) full list | exec=resource32w.exe (100%)
pass=a (100%)
server=- (100%)
user=a (60%) | - | SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)full list |
JUL-AUGT | 9 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2001569 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)full list | 445 (100%)
1031 (100%) | 1031 (100%) | - | MSMSGS.EXE (100%) | ftpupd.exe (100%) | None (33%) | ...Microsoft\Wireless (100%) full list | - | - | - |
JUL-AUGW | 6 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000003 (100%)
1:99913 (100%) | - | 1031 (100%) | - | MSMSGS.EXE (100%) | - | None (100%) | - | - | - | - |
JUL-AUGV | 6 | WinXP (100%) | 445 (100%) | 1031 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)full list | 1031 (100%) | 1031 (100%) | - | MSMSGS.EXE (100%) | - | None (83%) | - | - | - | - |