Score:            1.3 (>= 0.8)
Infected Target:  130.107.212.191
Infector List:    79.163.63.67
Egg Source List:  79.163.63.67
C & C List:       114.80.101.21
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/18/2009 05:59:04.650 PDT
Report End:       06/18/2009 05:59:08.208 PDT
Gen. Time:        06/18/2009 06:08:16.274 PDT

INBOUND SCAN
    <unobserved>

EXPLOIT
    79.163.63.67 (6) (05:59:04.650 PDT-05:59:08.208 PDT)
       event=1:22466 (2) {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access
          445<-1203 (05:59:07.389 PDT)
          445<-1195 (05:59:04.650 PDT)
       -------------------------
       event=1:299913 (4) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          2: 445<-1195 (05:59:05.446 PDT-05:59:05.489 PDT)
          2: 445<-1203 (05:59:08.164 PDT-05:59:08.208 PDT)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    79.163.63.67 (2) (05:59:11.579 PDT)
       event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host
          1033<-1214 (05:59:11.579 PDT)
       -------------------------
       event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host
          1033<-1214 (05:59:11.579 PDT)

C and C TRAFFIC
    114.80.101.21 (06:01:59.692 PDT)
       event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel
          1059->65520 (06:01:59.692 PDT)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    <unobserved>

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1245329944.650 1245329948.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.212.191'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  130.107.212.191
Infector List:    <unobserved>
Egg Source List:  85.114.141.207
C & C List:       121.12.116.142
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/18/2009 06:08:19.083 PDT
Gen. Time:        06/18/2009 06:09:32.972 PDT

INBOUND SCAN
    <unobserved>

EXPLOIT
    <unobserved>

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    85.114.141.207 (06:08:29.156 PDT)
       event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port
          1037->80 (06:08:29.156 PDT)

C and C TRAFFIC
    121.12.116.142 (06:08:19.083 PDT)
       event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel
          1027->65520 (06:08:19.083 PDT)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    <unobserved>

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1245330499.083 1245330499.084 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.212.191'

============================== SEPARATOR ================================