Score:            1.8 (>= 0.8)
Infected Target:  130.107.242.253
Infector List:    41.243.152.164
Egg Source List:  41.243.152.164
C & C List:       83.68.16.6 (2)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   06/26/2009 19:25:28.385 PDT
Report End:       06/26/2009 19:26:20.883 PDT
Gen. Time:        06/26/2009 19:30:31.511 PDT

INBOUND SCAN
    <unobserved>

EXPLOIT
    41.243.152.164 (19:25:28.385 PDT)
       event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          135<-63924 (19:25:28.385 PDT)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    41.243.152.164 (12) (19:25:32.520 PDT-19:26:20.883 PDT)
       event=1:1444 (4) {udp} E3[rb] TFTP GET from external source
          2: 1032->69 (19:25:32.520 PDT-19:25:33.477 PDT)
          2: 1033->69 (19:26:19.904 PDT-19:26:20.883 PDT)
       -------------------------
       event=1:2008120 (4) {udp} E3[rb] ET POLICY Outbound TFTP Read Request
          2: 1033->69 (19:26:19.904 PDT-19:26:20.883 PDT)
          2: 1032->69 (19:25:32.520 PDT-19:25:33.477 PDT)
       -------------------------
       event=1:3001441 (4) {udp} E3[rb] TFTP GET .exe from external source
          2: 1032->69 (19:25:32.520 PDT-19:25:33.477 PDT)
          2: 1033->69 (19:26:19.904 PDT-19:26:20.883 PDT)

C and C TRAFFIC
    83.68.16.6 (2) (19:28:56.072 PDT)
       event=1:2000355 (2) {tcp} E4[rb] ET POLICY IRC authorization message
          1037<-6556 (19:28:56.072 PDT)
          1038<-6556 (19:30:31.511 PDT)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    41.243.152.164 (19:25:28.946 PDT)
       event=1:52123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
          1031->707 (19:25:28.946 PDT)

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1246069528.385 1246069580.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.242.253'

============================== SEPARATOR ================================