Score:            1.3 (>= 0.8)
Infected Target:  130.107.172.137
Infector List:    202.221.175.169
Egg Source List:  202.221.175.169
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   05/13/2008 05:32:05.706 PDT
Report End:       05/13/2008 05:33:13.820 PDT
Gen. Time:        05/13/2008 05:33:38.341 PDT

INBOUND SCAN
    <unobserved>

EXPLOIT
    202.221.175.169 (7) (05:32:05.706 PDT-05:32:28.211 PDT)
       event=1:2000032 (3) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit
          3: 445<-2363 (05:32:28.021 PDT-05:32:28.211 PDT)
       -------------------------
       event=1:2000033 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP)
          445<-2363 (05:32:28.021 PDT)
       -------------------------
       event=1:2466 {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access
          445<-2363 (05:32:05.706 PDT)
       -------------------------
       event=1:99913 (2) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          2: 445<-2363 (05:32:26.217 PDT-05:32:28.021 PDT)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    202.221.175.169 (10) (05:32:39.536 PDT-05:33:13.820 PDT)
       event=1:2001683 (2) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host
          2: 1031<-5740 (05:33:03.633 PDT-05:33:12.031 PDT)
       -------------------------
       event=1:3000000 (3) {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port
          3: 1031<-5740 (05:32:59.806 PDT-05:33:13.820 PDT)
       -------------------------
       event=1:3000003 (3) {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port
          3: 1031->5740 (05:32:39.536 PDT-05:32:52.456 PDT)
       -------------------------
       event=1:5001684 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host
          2: 1031<-5740 (05:33:03.633 PDT-05:33:12.031 PDT)

C and C TRAFFIC
    <unobserved>

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    115.59.28.44 (05:33:38.341 PDT)
       event=1:2001569 {tcp} E5[rb] BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection
          1041->445 (05:33:38.341 PDT)
    
    202.221.175.169 (05:33:38.341 PDT)
       event=555:5555005 {tcp} E5[sc] scade detected scanning of 6 IPs (fail ratio=0:0/6): 
          0->0 (05:33:38.341 PDT)

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1210681925.706 1210681993.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.172.137'

============================== SEPARATOR ================================