Behavioral Pattern Analysis: 2971 samples, 13 behavioral profiles

Pattern

Number of
samples

Target OS

Infection port

Listen ports

Snort IDs

Egg-download
ports

Upload ports

Antivirus labels

Processes created

Executables modified

MD5 (packed)

Registry keys

FTP chatter

HTTP chatter

Domain names

AUG-SEP-A

1040

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

445 (99%)
1032 (97%)

1032 (96%)

korgo (100%)
padobot (100%)
lsabot (98%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7d99b0... (49%)
a0139d... (8%)
3ae357... (7%)
1fcc14... (5%)

full list

...Microsoft\Wireless (100%)

full list

AUG-SEP-B

495

Win2K-f (75%)

445 (99%)

44445 (100%)
135 (76%)
500 (76%)
1026 (76%)

1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:5001684 (97%)
1:2001683 (96%)
1:2000046 (75%)

full list

68 (68%)

44445 (99%)

sdbot (97%)
spybot (97%)
rbot (97%)
mybot (91%)
sdbo (89%)

MSMSGS.EXE (31%)

random 9
character filename

Abort (76%)

random 17
character filename

7fdfe3... (67%)
None (22%)

full list

...CurrentVersion\RunServices (99%)
...Microsoft\OLE (99%)
...InternetSettings\5.0 (67%)
...InternetSettings\Connections (67%)

full list

exec=resource32w.exe (99%)
user=a (99%)
pass=a (98%)
server=WinFtpd 1.2 (94%)

*@celestial.org (94%)

AUG-SEP-C

458

WinXP (53%)
Win2K-f (47%)

445 (91%)

113 (69%)
135 (54%)
500 (54%)
1026 (54%)

1:1390 (100%)
1:99998 (100%)
1:5001684 (94%)
1:2001683 (93%)
1:2001944 (91%)
1:3000006 (90%)

full list

445 (90%)
74 (49%)
68 (43%)

vipre (91%)
sdbot (79%)
sheur (49%)
heur (40%)
rbot (36%)
spybot (35%)

full list

MSMSGS.EXE (56%)

random 8/9/10
character filename

o (97%)

None (9%)

...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (45%)
...CurrentVersion\Run (31%)
...Microsoft\OLE (28%)

full list

user=1 (100%)
pass=1 (100%)
server=StnyFtpd 0wns j0 (73%)

*@admin.com (98%)
paypal.com (79%)
PAYPAL.COM (77%)
de.yahoo.com (77%)
nitro.ucsc.edu (77%)
reconnect.in (77%)

full list

AUG-SEP-D

308

Win2K-f (100%)

445 (66%)
139 (34%)

135 (100%)
500 (100%)
1026 (100%)
1027 (96%)

1:3000003 (96%)
1:99913 (96%)
1:5001684 (92%)
1:2466 (66%)

1028 (89%)

1028 (96%)

ircbot (100%)
delbot (98%)
nirbot (98%)
rinbot (98%)
sdbot (98%)
rbot (77%)

full list

ntvdm.exe (67%)

a0a7e8... (47%)
None (20%)
a7c70c... (10%)
cefc8f... (7%)
5777cb... (6%)

full list

...InternetSettings\5.0 (100%)
...InternetSettings\Connections (99%)
...Microsoft\DownloadManager (98%)

full list

pass=1 (100%)
user=1 (100%)
server=fuckFtpd 0wns j0 (80%)
exec=Tilecomfree.com (50%)

UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)

full list

AUG-SEP-E

271

WinXP (100%)

445 (100%)

113 (99%)
3067 (99%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
555:5555005 (99%)
1:2001569 (98%)

full list

445 (98%)
1032 (96%)

1032 (78%)
1054 (26%)

korgo (100%)
padobot (100%)
ircbot (72%)
sdbot (72%)
lsabot (27%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7f6016... (70%)
32a0d7... (6%)
042774... (6%)

full list

...Microsoft\Wireless (100%)

full list

brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)

full list

AUG-SEP-F

WinXP (100%)

445 (97%)

44445 (93%)

1:99913 (98%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:3000004 (88%)
1:5001684 (63%)

full list

74 (51%)

44445 (88%)

MSMSGS.EXE (100%)

index.dat (100%)
resource32w.exe (68%)

None (98%)

user=a (97%)
pass=a (94%)
exec=resource32w.exe (90%)
server=WinFtpd 1.2 (79%)
destport=1025 (37%)

AUG-SEP-G

WinXP (100%)

445 (98%)

80 (96%)

1:5001684 (100%)
1:2001683 (99%)
1:2000032 (98%)
1:2000033 (98%)
1:2466 (98%)
1:3000000 (98%)

full list

1032 (93%)

80 (88%)

padobot (100%)
berbew (99%)
berkor (99%)
doxpar (99%)
korgo (95%)
padodor (81%)

MSMSGS.EXE (100%)

DCPROMO.LOG (99%)
index.dat (99%)
ndisrd.sys (99%)

random 6/8
character filename

a12cab... (75%)
df17a6... (8%)

full list

...ActivatingDocument\.Current (96%)
...CurrentVersion\InternetSettings (96%)
...FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN (96%)
...InternetSettings\Zones (96%)
...Main\FeatureControl (96%)
...Microsoft\Windows (96%)

full list

pass=1 (100%)
user=1 (100%)

53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)

full list

AUG-SEP-H

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)
44445 (100%)

1:2000032 (100%)
1:2000046 (100%)
1:2466 (100%)
1:3000004 (100%)
1:99906 (100%)

44445 (100%)

None (100%)

user=a (100%)
pass=a (88%)
server=WinFtpd 1.2 (76%)
exec=resource32w.exe (65%)

AUG-SEP-K

WinXP (83%)

445 (43%)
135 (30%)
1034 (26%)

9996 (46%)

1:99913 (96%)
1:2466 (67%)
1:5001684 (59%)
555:5555005 (48%)
1:2001683 (43%)
1:2000047 (39%)

full list

445 (41%)
1032 (39%)
9996 (39%)

poebot (31%)
jobaka (28%)
korgo (28%)
lsabot (28%)
padobot (28%)
muldrop (22%)

full list

MSMSGS.EXE (83%)

random 6/7/8
character filename

index.dat (71%)
ftpupd.exe (29%)

random 6/8
character filename

None (20%)
7d99b0... (13%)
831f4e... (11%)
1a2c0e... (9%)
2aa59b... (9%)
a39875... (7%)

full list

...Microsoft\Wireless (60%)
...InternetSettings\5.0 (27%)
...InternetSettings\Connections (27%)

full list

user=anonymous (74%)
pass=bin (65%)
server=OK (52%)
destport=1025 (35%)

AUG-SEP-I

WinXP (100%)

445 (100%)

1033 (46%)
113 (32%)

1:2001683 (100%)
1:5001684 (100%)
1:2000032 (83%)
1:2000033 (83%)
1:2466 (83%)
1:3000000 (83%)

full list

445 (93%)
1032 (77%)

1032 (77%)

virut (100%)
vipre (92%)
virutas (92%)
korgo (85%)
gen33 (77%)
padobot (77%)

full list

MSMSGS.EXE (100%)

random 6/8
character filename

HelpCtr.exe (87%)
HelpHost.exe (87%)
HelpSvc.exe (87%)
NOTEPAD.EXE (87%)
UploadM.exe (87%)
accwiz.exe (87%)

full list

999e33... (13%)
175328... (7%)
388123... (7%)
4daafe... (7%)
628df4... (7%)
6df73d... (7%)

full list

...Microsoft\Wireless (82%)

full list

pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
exec=sertys.exe (60%)
destIP=130.107.209.120 (40%)
destIP=130.107.227.96 (40%)

full list

*@admin.com (50%)
PAYPAL.COM (50%)
broadway.ny.us.dal.net (50%)
brussels.be.eu.undernet.o... (50%)
caen.fr.eu.undernet.org (50%)
ced.dal.net (50%)

full list

AUG-SEP-L

WinXP (100%)

445 (100%)

1032 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000003 (92%)
1:2001683 (79%)

full list

1032 (83%)

1032 (92%)

MSMSGS.EXE (100%)

ftpupd.exe (100%)
index.dat (100%)

None (100%)

AUG-SEP-J

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

1032 (100%)
445 (90%)

1032 (100%)
1062 (29%)

korgo (100%)
lsabot (100%)
padobot (100%)
parite (90%)
pinfi (90%)
win32_parite_b (90%)

full list

MSMSGS.EXE (100%)

ftpupd.exe (100%)

random 4
character filename

736531... (48%)
0a944c... (10%)
528766... (10%)
651382... (10%)
95b642... (10%)

full list

...Microsoft\Wireless (100%)

full list

AUG-SEP-M

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:99998 (100%)
1:3003 (83%)

445 (100%)

None (100%)

user=1 (100%)
pass=1 (67%)
server=StnyFtpd 0wns j0 (67%)