Behavioral Pattern Analysis: 6066 samples, 12 behavioral profiles

Pattern

Number of
samples

Target OS

Infection port

Listen ports

Snort IDs

Egg-download
ports

Upload ports

Antivirus labels

Processes created

Executables modified

MD5 (packed)

Registry keys

FTP chatter

HTTP chatter

1844

always Win2K-f

mostly 445 or 139

135 (100%)
500 (100%)
1026 (100%)
1027 (99%)
445 (40%)

1:99913 (98%)
1:3000003 (98%)
1:2466 (69%)
1:2001683 (34%)

1028 (46%)

1028 (96%)

sdbot (38%)
rinbot (37%)
nirbot (37%)
ircbot (37%)
vanbot (36%)
delbot (33%)
hupigon (26%)
rbot (26%)

None (34%)
a0a7e837cba166943b44455ff2cb4fd9 (16%)
cefc8f1802900f1b7028355b2fae0fd8 (7%)

HKEY_USERS@...InternetSettings\5.0 (100%)
HKEY_LOCAL_MACHINE@...Microsoft\DownloadManager (100%)
HKEY_USERS@...InternetSettings\Connections (100%)

UA=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) (96%)
version=1.0 (96%)
filename=/zmon.exe (69%)

1048

always WinXP

always 445

1:2000032 (100%)
1:99913 (100%)
1:2001683 (99%)
555:5555005 (99%)
1:2001569 (99%)
1:2000033 (98%)
1:2466 (98%)
1:3000003 (94%)
1:3000000 (94%)

1031 (100%)
445 (99%)

1031 (94%)

korgo (97%)
padobot (97%)
lsabot (79%)
ircbot (24%)
sdbot (24%)

MSMSGS.EXE (100%)
random 5/6/7/8 character filename

ftpupd.exe (100%)
random 5/6/7/8 character filename

7d99b0e9108065ad5700a899a1fe3441 (36%)
7f60162c2c0bd2cc7531e51328e98290 (18%)
3ae357d17b1d2e0174bf477c28422c29 (8%)
986b59708d2ca33f4c1ad682a5d7a673 (6%)

HKEY_LOCAL_MACHINE@...Microsoft\Wireless (99%)

787

mostly WinXP

usually 445

1032 (76%)
1033 (76%)

1:99913 (51%)
1:2466 (50%)
1:1390 (49%)
1:99998 (49%)
1:3000004 (47%)
1:2001944 (40%)
1:3000006 (40%)
1:3003 (39%)
1:2000032 (34%)
1:2000033 (34%)

445 (41%)

MSMSGS.EXE (100%)
ftp.exe (76%)

index.dat (100%)
o (71%)

mostly None

destport=1033 (75%)
pass=1 (46%)
user=1 (46%)
server=StnyFtpd 0wns j0 (37%)

750

always WinXP

mostly 445

1:2000032 (99%)
1:99913 (99%)
555:5555005 (98%)
1:2001683 (98%)
1:2466 (98%)
1:2000033 (98%)
1:2001569 (96%)
1:3000000 (96%)
1:3000003 (96%)
1:5001684 (72%)

1031 (99%)
445 (96%)

1031 (96%)

MSMSGS.EXE (100%)
random 5/6/7/8 character filename

ftpupd.exe (100%)
random 5/6/7/8 character filename

usually None

HKEY_LOCAL_MACHINE@...Microsoft\Wireless (100%)

599

usually 445

113 (49%)
135 (45%)
500 (45%)
1026 (45%)

1:5001684 (95%)
1:2001683 (91%)
1:1390 (79%)
1:99998 (79%)
1:2001944 (69%)
1:3003 (68%)
1:3000006 (68%)

445 (71%)
73 (49%)
68 (44%)

MSMSGS.EXE (55%)
random 8/9/10 character filename

always None

HKEY_LOCAL_MACHINE@...CurrentVersion\RunServices (95%)
HKEY_USERS@...Microsoft\OLE (45%)
HKEY_USERS@...InternetSettings\5.0 (45%)

pass=1 (79%)
user=1 (79%)
server=StnyFtpd 0wns j0 (51%)

491

always Win2K-f

usually 445

135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
1028 (100%)
44445 (55%)

1:3000004 (57%)
1:2000032 (55%)
1:99906 (55%)
1:2000046 (54%)
1:2466 (54%)
1:1390 (43%)
1:99998 (43%)
1:2001944 (36%)
1:3000006 (36%)
1:3003 (34%)

445 (36%)

44445 (54%)

ftp.exe (100%)

always None

destport=1028 (96%)
exec=resource32w.exe (54%)
pass=a (53%)
user=a (53%)
server=WinFtpd 1.2 (52%)
destIP=10.2.32.201 (48%)
pass=1 (46%)
user=1 (46%)
server=StnyFtpd 0wns j0 (37%)

160

mostly WinXP

mostly 445

80 (99%)

1:99913 (99%)
1:2000032 (98%)
1:2001683 (98%)
1:2000033 (97%)
1:2466 (97%)
1:3000000 (97%)
1:5001684 (42%)

1031 (98%)

80 (94%)

berbew (38%)
berkor (38%)
padobot (38%)
doxpar (36%)
hangup (36%)
korgo (34%)
padodor (26%)

MSMSGS.EXE (99%)

ndisrd.sys (99%)
index.dat (95%)
DCPROMO.LOG (94%)
random 6/7/8 character filename

None (41%)
a12cab51ef99e98305668d189d0db147 (25%)
df17a625eec94cdcd4b1b7998c099d87 (8%)

HKEY_USERS@...InternetSettings\Zones (99%)
HKEY_USERS@...Zones\0 (99%)
HKEY_USERS@...Zones\1 (99%)
HKEY_USERS@...Zones\2 (99%)
HKEY_USERS@...Zones\3 (99%)
HKEY_USERS@...Zones\4 (99%)
HKEY_LOCAL_MACHINE@...CurrentVersion\InternetSettings (99%)
HKEY_LOCAL_MACHINE@...InternetSettings\Zones (99%)
HKEY_LOCAL_MACHINE@...Windows\CurrentVersion (99%)
HKEY_LOCAL_MACHINE@...Zones\0 (99%)

136

mostly Win2K-f

mostly 139, 445 or 135

500 (99%)
1026 (99%)
135 (92%)
1027 (91%)

1:99913 (98%)
1:3000003 (90%)
1:2466 (36%)

1028 (88%)

ntvdm.exe (100%)

mostly None

HKEY_USERS@...InternetSettings\5.0 (99%)
HKEY_USERS@...InternetSettings\Connections (99%)
HKEY_LOCAL_MACHINE@...Microsoft\DownloadManager (90%)

UA=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) (89%)
version=1.0 (89%)
filename=/zmon.exe (51%)

mostly Win2K-f

usually 445

135 (97%)
500 (97%)
1026 (97%)

1:1390 (100%)
1:99998 (100%)
1:2001944 (94%)
1:3000006 (93%)
1:3003 (89%)
1:5001684 (59%)
1:2001683 (57%)

445 (93%)
68 (54%)

always None

pass=1 (77%)
user=1 (77%)
server=StnyFtpd 0wns j0 (62%)

always Win2K-f

mostly 445

135 (100%)
500 (100%)
1026 (100%)
44445 (98%)

1:2000032 (99%)
1:2000046 (99%)
1:2466 (99%)
1:3000004 (99%)
1:99906 (99%)

44445 (98%)

always None

pass=a (59%)
user=a (58%)
exec=resource32w.exe (54%)
server=WinFtpd 1.2 (38%)

always WinXP

always 445

1031 (87%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000003 (92%)
1:3000000 (53%)
1:2001683 (42%)

1031 (53%)

1031 (92%)

MSMSGS.EXE (100%)

usually None

mostly 445

1:2001683 (100%)
555:5555005 (100%)
1:2000032 (96%)
1:2466 (96%)
1:5001684 (82%)
1:3000004 (64%)
1:2002024 (57%)
1:2000046 (50%)
1:2000345 (50%)
1:99906 (50%)

445 (50%)
443 (43%)
68 (39%)

44445 (64%)
443 (36%)

Abort (46%)

usually None

exec=resource32w.exe (64%)
pass=a (64%)
user=a (57%)
server=WinFtpd 1.2 (54%)