Behavioral Pattern Analysis: 6066 samples, 12 behavioral profiles

PatternNumber of
samples		Target OSInfection portListen portsSnort IDsEgg-download
ports		Upload portsAntivirus labelsProcesses createdExecutables modifiedMD5 (packed)Registry keysFTP chatterHTTP chatter
A1844always Win2K-fmostly 445 or 139135 (100%)
500 (100%)
1026 (100%)
1027 (99%)
445 (40%)		1:99913 (98%)
1:3000003 (98%)
1:2466 (69%)
1:2001683 (34%)		1028 (46%)1028 (96%)sdbot (38%)
rinbot (37%)
nirbot (37%)
ircbot (37%)
vanbot (36%)
delbot (33%)
hupigon (26%)
rbot (26%)		--None (34%)
a0a7e837cba166943b44455ff2cb4fd9 (16%)
cefc8f1802900f1b7028355b2fae0fd8 (7%)		HKEY_USERS@...InternetSettings\5.0 (100%)
HKEY_LOCAL_MACHINE@...Microsoft\DownloadManager (100%)
HKEY_USERS@...InternetSettings\Connections (100%)		-UA=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) (96%)
version=1.0 (96%)
filename=/zmon.exe (69%)
B1048always WinXPalways 445-1:2000032 (100%)
1:99913 (100%)
1:2001683 (99%)
555:5555005 (99%)
1:2001569 (99%)
1:2000033 (98%)
1:2466 (98%)
1:3000003 (94%)
1:3000000 (94%)		1031 (100%)
445 (99%)		1031 (94%)korgo (97%)
padobot (97%)
lsabot (79%)
ircbot (24%)
sdbot (24%)		MSMSGS.EXE (100%)
random 5/6/7/8 character filename		ftpupd.exe (100%)
random 5/6/7/8 character filename		7d99b0e9108065ad5700a899a1fe3441 (36%)
7f60162c2c0bd2cc7531e51328e98290 (18%)
3ae357d17b1d2e0174bf477c28422c29 (8%)
986b59708d2ca33f4c1ad682a5d7a673 (6%)		HKEY_LOCAL_MACHINE@...Microsoft\Wireless (99%)--
C787mostly WinXPusually 4451032 (76%)
1033 (76%)		1:99913 (51%)
1:2466 (50%)
1:1390 (49%)
1:99998 (49%)
1:3000004 (47%)
1:2001944 (40%)
1:3000006 (40%)
1:3003 (39%)
1:2000032 (34%)
1:2000033 (34%)		445 (41%)--MSMSGS.EXE (100%)
ftp.exe (76%)		index.dat (100%)
o (71%)		mostly None-destport=1033 (75%)
pass=1 (46%)
user=1 (46%)
server=StnyFtpd 0wns j0 (37%)		-
D750always WinXPmostly 445-1:2000032 (99%)
1:99913 (99%)
555:5555005 (98%)
1:2001683 (98%)
1:2466 (98%)
1:2000033 (98%)
1:2001569 (96%)
1:3000000 (96%)
1:3000003 (96%)
1:5001684 (72%)		1031 (99%)
445 (96%)		1031 (96%)-MSMSGS.EXE (100%)
random 5/6/7/8 character filename		ftpupd.exe (100%)
random 5/6/7/8 character filename		usually NoneHKEY_LOCAL_MACHINE@...Microsoft\Wireless (100%)--
E599-usually 445113 (49%)
135 (45%)
500 (45%)
1026 (45%)		1:5001684 (95%)
1:2001683 (91%)
1:1390 (79%)
1:99998 (79%)
1:2001944 (69%)
1:3003 (68%)
1:3000006 (68%)		445 (71%)
73 (49%)
68 (44%)		--MSMSGS.EXE (55%)
random 8/9/10 character filename		-always NoneHKEY_LOCAL_MACHINE@...CurrentVersion\RunServices (95%)
HKEY_USERS@...Microsoft\OLE (45%)
HKEY_USERS@...InternetSettings\5.0 (45%)		pass=1 (79%)
user=1 (79%)
server=StnyFtpd 0wns j0 (51%)		-
F491always Win2K-fusually 445135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
1028 (100%)
44445 (55%)		1:3000004 (57%)
1:2000032 (55%)
1:99906 (55%)
1:2000046 (54%)
1:2466 (54%)
1:1390 (43%)
1:99998 (43%)
1:2001944 (36%)
1:3000006 (36%)
1:3003 (34%)		445 (36%)44445 (54%)-ftp.exe (100%)-always None-destport=1028 (96%)
exec=resource32w.exe (54%)
pass=a (53%)
user=a (53%)
server=WinFtpd 1.2 (52%)
destIP=10.2.32.201 (48%)
pass=1 (46%)
user=1 (46%)
server=StnyFtpd 0wns j0 (37%)		-
G160mostly WinXPmostly 44580 (99%)1:99913 (99%)
1:2000032 (98%)
1:2001683 (98%)
1:2000033 (97%)
1:2466 (97%)
1:3000000 (97%)
1:5001684 (42%)		1031 (98%)80 (94%)berbew (38%)
berkor (38%)
padobot (38%)
doxpar (36%)
hangup (36%)
korgo (34%)
padodor (26%)		MSMSGS.EXE (99%)ndisrd.sys (99%)
index.dat (95%)
DCPROMO.LOG (94%)
random 6/7/8 character filename		None (41%)
a12cab51ef99e98305668d189d0db147 (25%)
df17a625eec94cdcd4b1b7998c099d87 (8%)		HKEY_USERS@...InternetSettings\Zones (99%)
HKEY_USERS@...Zones\0 (99%)
HKEY_USERS@...Zones\1 (99%)
HKEY_USERS@...Zones\2 (99%)
HKEY_USERS@...Zones\3 (99%)
HKEY_USERS@...Zones\4 (99%)
HKEY_LOCAL_MACHINE@...CurrentVersion\InternetSettings (99%)
HKEY_LOCAL_MACHINE@...InternetSettings\Zones (99%)
HKEY_LOCAL_MACHINE@...Windows\CurrentVersion (99%)
HKEY_LOCAL_MACHINE@...Zones\0 (99%)		--
H136mostly Win2K-fmostly 139, 445 or 135500 (99%)
1026 (99%)
135 (92%)
1027 (91%)		1:99913 (98%)
1:3000003 (90%)
1:2466 (36%)		-1028 (88%)-ntvdm.exe (100%)-mostly NoneHKEY_USERS@...InternetSettings\5.0 (99%)
HKEY_USERS@...InternetSettings\Connections (99%)
HKEY_LOCAL_MACHINE@...Microsoft\DownloadManager (90%)		-UA=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) (89%)
version=1.0 (89%)
filename=/zmon.exe (51%)
I90mostly Win2K-fusually 445135 (97%)
500 (97%)
1026 (97%)		1:1390 (100%)
1:99998 (100%)
1:2001944 (94%)
1:3000006 (93%)
1:3003 (89%)
1:5001684 (59%)
1:2001683 (57%)		445 (93%)
68 (54%)		----always None-pass=1 (77%)
user=1 (77%)
server=StnyFtpd 0wns j0 (62%)		-
J80always Win2K-fmostly 445135 (100%)
500 (100%)
1026 (100%)
44445 (98%)		1:2000032 (99%)
1:2000046 (99%)
1:2466 (99%)
1:3000004 (99%)
1:99906 (99%)		-44445 (98%)---always None-pass=a (59%)
user=a (58%)
exec=resource32w.exe (54%)
server=WinFtpd 1.2 (38%)		-
K53always WinXPalways 4451031 (87%)1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000003 (92%)
1:3000000 (53%)
1:2001683 (42%)		1031 (53%)1031 (92%)-MSMSGS.EXE (100%)-usually None---
L28-mostly 445-1:2001683 (100%)
555:5555005 (100%)
1:2000032 (96%)
1:2466 (96%)
1:5001684 (82%)
1:3000004 (64%)
1:2002024 (57%)
1:2000046 (50%)
1:2000345 (50%)
1:99906 (50%)		445 (50%)
443 (43%)
68 (39%)		44445 (64%)
443 (36%)		--Abort (46%)usually None-exec=resource32w.exe (64%)
pass=a (64%)
user=a (57%)
server=WinFtpd 1.2 (54%)		-