Cluster AV

11 samples (Win2K-f (100%))

Ports
Infection Listen Egg-download
445 (82%) 135 (100%)
500 (100%)
1026 (100%)
113 (91%)
69 (45%)
2001 (45%)
full list
68 (100%)
445 (89%)

Filenames
Processes

random 8/9
character filename

Registry keys
...CurrentVersion\Run (100%)
...InternetSettings\5.0 (100%)
...CurrentVersion\RunServices (91%)
full list

Snort IDs
1:1390 (100%)
1:2001683 (100%)
1:2001944 (100%)
1:5001684 (100%)
1:99998 (100%)
1:3000006 (90%)
full list

Network chatter
FTP C&C
pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
exec=windervs.exe (36%)
exec=windservc.exe (36%) 211.169.249.223 (18%)

Static analysis
MD5 Antivirus labels
diversity: 100.0%
sdbot (100%)
vipre (100%)
rbot (80%)
spybot (80%)
sheur (60%)
dnascan (40%)
full list