Cluster AE

28 samples (WinXP (61%)
Win2K-f (39%))

Ports
Infection Listen Egg-download
139 (43%) 135 (65%)
500 (65%)
1026 (65%) 139 (100%)
68 (50%)
73 (25%)
74 (25%)

Filenames
Processes
Tilehome.com (100%)
MSMSGS.EXE (61%)

Registry keys
...CurrentVersion\RunServices (100%)
...Microsoft\OLE (100%)
...InternetSettings\5.0 (39%)
...InternetSettings\Connections (39%)
full list

Snort IDs
1:1390 (100%)
1:3000005 (100%)
1:5001684 (100%)
1:99998 (100%)
1:2001683 (33%)

Network chatter
FTP C&C
exec=Tilehome.com (100%)
pass=1 (100%)
server=NzmxFtpd 0wns j0 (100%)
user=1 (100%) 63.173.172.98 (7%)

Static analysis
MD5 Antivirus labels Domain
0123d3... (11%)
1d9b3a... (11%)
243aa2... (7%)
cadc24... (7%)
f1256e... (7%)
f81454... (7%)
diversity: 67.9%
full list
gaobot (100%)
ircbot (100%)
mybot (100%)
rbot (100%)
sdbot (100%)
sdbot2 (100%)
full list
PAYPAL.COM (100%)
Tilehome.com (100%)
clone.ac (100%)
clone.ni (100%)
clone.pm (100%)
home.najd.us (100%)
full list