Pattern JUL-AUGR

40 samples (WinXP (52%)
Win2K-f (48%))


Ports
InfectionListenEgg-downloadUpload
445 (50%)
135 (32%)
139 (12%)
500 (49%)
1026 (49%)
1032 (47%)
445 (42%)
1027 (29%)
1032 (45%)
Filenames
ProcessesExecutables
MSMSGS.EXE (52%)
ntvdm.exe (45%)

random 5/6/7/8
character filename
ftpupd.exe (89%)

random 5/6/8
character filename
Registry keys
...InternetSettings\5.0 (50%)
...InternetSettings\Connections (50%)
...Microsoft\Wireless (44%)
...Microsoft\SecurityCenter (31%)
...Microsoft\WindowsFirewall (31%)
...Software\Symantec (31%)

full list

Snort IDs
1:99913 (100%)
1:5001684 (79%)
1:3000003 (63%)
1:2001683 (53%)
1:2466 (53%)
1:2000032 (47%)

full list

Network chatter
HTTP
UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)
sourceIP=194.204.177.59 (29%)

full list

Static analysis
MD5Antivirus labelsDomain
7d99b0... (22%)
None (22%)
5ddac0... (15%)
259613... (10%)
d6df39... (5%)

full list

korgo (52%)
padobot (52%)
lsabot (48%)
sdbot (35%)
spybot (35%)
ircbot (32%)

full list

.com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)

full list