Behavioral Pattern Analysis: 3445 samples, 23 behavioral profiles

PatternNumber of
samples
Target OSInfection portListen portsSnort IDsEgg-download
ports
Upload portsAntivirus labelsProcesses createdExecutables modifiedMD5 (packed)Registry keysFTP chatterHTTP chatterDomain names
JUL-AUGA834WinXP (100%)445 (100%)-1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)

full list

445 (98%)
1031 (63%)
1032 (37%)
1031 (63%)
1032 (37%)
korgo (100%)
padobot (100%)
lsabot (99%)
MSMSGS.EXE (100%)

random 5/6/7/8
character filename
ftpupd.exe (100%)

random 5/6/7/8
character filename
7d99b0... (45%)
3ae357... (8%)
a0139d... (8%)
d42c1c... (7%)
986b59... (6%)

full list

...Microsoft\Wireless (100%)

full list

---
JUL-AUGC543Win2K-f (100%)445 (72%)
139 (27%)
135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
445 (37%)
1:3000003 (100%)
1:99913 (100%)
1:5001684 (87%)
1:2466 (73%)
1:2001683 (27%)
1028 (91%)1028 (100%)ircbot (100%)
sdbot (100%)
delbot (100%)
rinbot (100%)
nirbot (99%)
hupigon (69%)

full list

ntvdm.exe (100%)-a0a7e8... (39%)
None (21%)
a7c70c... (10%)
5777cb... (10%)
cefc8f... (9%)

full list

...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)

full list

-UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)

full list

-
JUL-AUGB533WinXP (56%)
Win2K-f (44%)
445 (88%)
139 (10%)
113 (75%)
135 (51%)
500 (51%)
1026 (51%)
1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (95%)
1:2001944 (89%)
1:3003 (88%)

full list

445 (88%)
73 (47%)
68 (44%)
-vipre (84%)
sdbot (67%)
sheur (42%)
rbot (38%)
ircbot (37%)
spybot (33%)

full list

MSMSGS.EXE (56%)

random 8/9/10
character filename
o (100%)df2a3e... (9%)
817fcb... (8%)

full list

...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (44%)
...Microsoft\OLE (34%)
...CurrentVersion\Run (29%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (66%)
exec=windservc.exe (30%)
-*@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)

full list

JUL-AUGE324Win2K-f (59%)
WinXP (41%)
445 (99%)44445 (99%)
135 (59%)
500 (59%)
1026 (59%)
1:2000032 (99%)
1:2466 (99%)
1:3000004 (99%)
1:5001684 (98%)
1:2001683 (96%)
555:5555005 (77%)

full list

68 (57%)44445 (98%)sdbot (99%)
spybot (98%)
rbot (97%)
mybot (92%)
sdbo (90%)
MSMSGS.EXE (44%)

random 9
character filename
index.dat (62%)
resource32w.exe (59%)
Abort (29%)

random 17
character filename
7fdfe3... (69%)
None (20%)

full list

...CurrentVersion\RunServices (100%)
...Microsoft\OLE (98%)
...InternetSettings\5.0 (65%)
...InternetSettings\Connections (65%)

full list

exec=resource32w.exe (99%)
pass=a (98%)
user=a (98%)
server=WinFtpd 1.2 (95%)
-*@celestial.org (100%)
JUL-AUGD276WinXP (100%)445 (100%)113 (93%)
3067 (92%)
1:2000032 (99%)
1:2000033 (99%)
1:2466 (99%)
1:99913 (99%)
1:2001683 (99%)
555:5555005 (97%)

full list

445 (97%)
1031 (64%)
1032 (36%)
1031 (51%)
1032 (30%)
korgo (99%)
padobot (99%)
ircbot (65%)
sdbot (65%)
lsabot (27%)
MSMSGS.EXE (100%)

random 5/6/7/8
character filename
ftpupd.exe (99%)7f6016... (65%)
042774... (6%)
32a0d7... (5%)

full list

...Microsoft\Wireless (99%)

full list

pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
-brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)

full list

JUL-AUGH145Win2K-f (99%)445 (100%)135 (99%)
500 (99%)
1026 (99%)
44445 (98%)
1027 (50%)
1028 (50%)
1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:2000046 (99%)
1:99906 (99%)
-44445 (97%)biww (100%)
ircbot (100%)
mybot (100%)
rbot (100%)
robobot (100%)
spybot (100%)

full list

ftp.exe (95%)-None (98%)-user=a (97%)
pass=a (96%)
exec=resource32w.exe (95%)
server=WinFtpd 1.2 (88%)
destport=1028 (60%)
--
JUL-AUGF140WinXP (100%)445 (79%)
139 (20%)
1032 (99%)
1033 (93%)
1:1390 (94%)
1:99998 (94%)
1:2001944 (74%)
1:3000006 (74%)
1:3003 (74%)
445 (74%)-sdbot (100%)
rbot (67%)
MSMSGS.EXE (100%)
ftp.exe (84%)
index.dat (100%)
o (86%)
None (98%)-pass=1 (100%)
user=1 (100%)
destport=1033 (88%)
server=StnyFtpd 0wns j0 (73%)
exec=Windows (38%)
destIP=10.2.32.214 (32%)
--
JUL-AUGG113WinXP (51%)
Win2K-f (49%)
445 (100%)135 (86%)
500 (86%)
1026 (86%)
1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:3003 (99%)
1:3000006 (97%)
1:2001683 (94%)

full list

445 (97%)
68 (47%)
73 (44%)
-sdbot (94%)
rbot (90%)
vipre (90%)
spybot (71%)
dnascan (69%)
mybot (62%)

full list

MSMSGS.EXE (68%)

random 10
character filename
o (100%)
index.dat (88%)
windservc.exe (28%)
None (54%)
d40063... (9%)
c4709f... (8%)
fc3e35... (7%)

full list

...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (42%)
...InternetSettings\5.0 (42%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (95%)
--
JUL-AUGJ101WinXP (100%)445 (100%)80 (100%)1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:99913 (100%)

full list

1031 (74%)
1032 (26%)
80 (94%)berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (95%)
padodor (70%)

full list

MSMSGS.EXE (100%)ndisrd.sys (100%)
DCPROMO.LOG (98%)
index.dat (98%)

random 6/7/8
character filename
a12cab... (68%)
df17a6... (21%)

full list

...CurrentVersion\InternetSettings (100%)
...InternetSettings\Zones (100%)
...Windows\CurrentVersion (100%)
...Zones\0 (100%)
...Zones\1 (100%)
...Zones\2 (100%)

full list

--53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)

full list

JUL-AUGI96Win2K-f (100%)445 (84%)
139 (16%)
135 (100%)
500 (100%)
1026 (100%)
1027 (94%)
1028 (94%)
1:1390 (100%)
1:99998 (100%)
1:2001944 (84%)
1:3000006 (84%)
1:3003 (81%)
445 (84%)--ftp.exe (100%)-None (100%)-user=1 (100%)
pass=1 (99%)
destport=1028 (82%)
server=StnyFtpd 0wns j0 (80%)
destIP=10.2.32.201 (48%)
exec=Windows (39%)
--
JUL-AUGK73WinXP (100%)445 (96%)44445 (90%)
1032 (83%)
1033 (83%)
1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:99913 (92%)
1:3000004 (90%)
-44445 (89%)-MSMSGS.EXE (100%)
ftp.exe (81%)
index.dat (99%)
o (81%)
None (99%)-user=a (88%)
destport=1033 (86%)
pass=a (86%)
server=WinFtpd 1.2 (85%)
exec=resource32w.exe (83%)
destIP=10.2.32.214 (32%)
--
JUL-AUGR40WinXP (52%)
Win2K-f (48%)
445 (50%)
135 (32%)
139 (12%)
500 (49%)
1026 (49%)
1:99913 (100%)
1:5001684 (79%)
1:3000003 (63%)
1:2001683 (53%)
1:2466 (53%)
1:2000032 (47%)

full list

1032 (47%)
445 (42%)
1027 (29%)
1032 (45%)korgo (52%)
padobot (52%)
lsabot (48%)
sdbot (35%)
spybot (35%)
ircbot (32%)

full list

MSMSGS.EXE (52%)
ntvdm.exe (45%)

random 5/6/7/8
character filename
ftpupd.exe (89%)

random 5/6/8
character filename
7d99b0... (22%)
None (22%)
5ddac0... (15%)
259613... (10%)
d6df39... (5%)

full list

...InternetSettings\5.0 (50%)
...InternetSettings\Connections (50%)
...Microsoft\Wireless (44%)
...Microsoft\SecurityCenter (31%)
...Microsoft\WindowsFirewall (31%)
...Software\Symantec (31%)

full list

-UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)
sourceIP=194.204.177.59 (29%)

full list

.com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)

full list

JUL-AUGQ37WinXP (57%)
Win2K-f (43%)
445 (92%)135 (52%)
500 (52%)
1026 (52%)
44445 (31%)
69 (28%)
1:5001684 (76%)
1:2001683 (62%)
1:2000032 (49%)
1:2466 (49%)
555:5555005 (49%)
1:1390 (46%)

full list

445 (70%)
1028 (35%)
44445 (27%)sdbot (67%)
linkbot (56%)
rbot (47%)
poebot (42%)
ircbot (36%)
possiblethreat (31%)

full list

MSMSGS.EXE (60%)

random 6/8/9
character filename
index.dat (50%)
ftpupd.exe (40%)
o (40%)
2aa59b... (14%)
7d99b0... (14%)
04af72... (8%)
0a0261... (8%)
97ac56... (8%)
6f4858... (5%)

full list

...Microsoft\Wireless (62%)
...CurrentVersion\RunServices (38%)

full list

server=- (78%)
pass=1 (63%)
user=1 (44%)
exec=resource32w.exe (37%)
pass=a (37%)
user=a (33%)
-SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)
..έ..Π..Z..\ΠΡΡΡΡ..ΠΡΡX... (43%)

full list

JUL-AUGL37WinXP (100%)445 (70%)
1033 (19%)
1034 (11%)
9996 (97%)
1032 (60%)
1033 (60%)
5554 (29%)
445 (26%)
1:2466 (97%)
1:99913 (97%)
1:2000047 (92%)
1:3000004 (76%)
1:2001056 (30%)
1:2001569 (30%)

full list

9996 (92%)
445 (32%)
9996 (76%)jobaka (83%)MSMSGS.EXE (100%)
ftp.exe (57%)

random 7/8
character filename
index.dat (97%)
cmd.ftp (61%)
avserve2.exe (28%)

random 8
character filename
None (65%)
1a2c0e... (19%)
831f4e... (8%)

full list

-user=anonymous (97%)
pass=bin (94%)
server=OK (91%)
destport=1033 (60%)
--
JUL-AUGM33WinXP (100%)445 (100%)-1:2001683 (100%)
1:5001684 (100%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:99913 (97%)

full list

445 (85%)
1031 (70%)
1032 (27%)
1031 (70%)korgo (97%)
parite (97%)
pinfi (97%)
lsabot (85%)
padobot (82%)
win32_parite_b (70%)

full list

MSMSGS.EXE (100%)

random 5/6/7/8
character filename
ftpupd.exe (97%)

random 4/5/6/7/8
character filename
736531... (45%)
86d186... (12%)
199fd8... (6%)
2edcd6... (6%)

full list

...Microsoft\Wireless (97%)

full list

---
JUL-AUGN19Win2K-f (100%)445 (100%)135 (100%)
500 (100%)
1026 (100%)
1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)
445 (100%)----None (100%)-pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (62%)
exec=windservc.exe (25%)
server=NzmxFtpd 0wns j0 (25%)
--
JUL-AUGO17WinXP (100%)445 (100%)-1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)
445 (100%)--MSMSGS.EXE (100%)index.dat (94%)
o (82%)
None (94%)----
JUL-AUGP15WinXP (100%)445 (100%)1031 (53%)
44445 (47%)
1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (53%)
1:5001684 (53%)

full list

1031 (53%)44445 (47%)-MSMSGS.EXE (100%)index.dat (100%)
ftpupd.exe (53%)
None (93%)----
JUL-AUGS12WinXP (92%)445 (100%)1031 (92%)1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:3000003 (92%)
1:99913 (92%)
-1031 (92%)-MSMSGS.EXE (92%)-None (92%)----
JUL-AUGU11WinXP (55%)
Win2K-f (45%)
445 (100%)-1:2000032 (100%)
1:2001683 (100%)
1:2466 (100%)
1:5001684 (100%)
1:3000003 (82%)
555:5555005 (82%)

full list

445 (45%)
1028 (45%)
80 (27%)
1031 (27%)
1032 (27%)
44445 (45%)
80 (27%)
1031 (27%)
1032 (27%)
bobax (100%)
bobic (80%)
vipre (60%)
korgo (50%)
lsabot (50%)
padobot (50%)

full list

MSMSGS.EXE (100%)ftpupd.exe (100%)7c0547... (18%)

full list

...Microsoft\Wireless (100%)

full list

exec=resource32w.exe (100%)
pass=a (100%)
server=- (100%)
user=a (60%)
-SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)

full list

JUL-AUGT9WinXP (100%)445 (100%)-1:2000032 (100%)
1:2000033 (100%)
1:2001569 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)

full list

445 (100%)
1031 (100%)
1031 (100%)-MSMSGS.EXE (100%)ftpupd.exe (100%)None (33%)...Microsoft\Wireless (100%)

full list

---
JUL-AUGW6WinXP (100%)445 (100%)-1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000003 (100%)
1:99913 (100%)
-1031 (100%)-MSMSGS.EXE (100%)-None (100%)----
JUL-AUGV6WinXP (100%)445 (100%)1031 (100%)1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

1031 (100%)1031 (100%)-MSMSGS.EXE (100%)-None (83%)----