Behavioral Pattern Analysis: 3034 samples, 13 behavioral profiles

Pattern

Number of
samples

Target OS

Infection port

Listen ports

Snort IDs

Egg-download
ports

Upload ports

Antivirus labels

Processes created

Executables modified

MD5 (packed)

Registry keys

FTP chatter

HTTP chatter

Domain names

AUG-SEP-A

1060

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

445 (99%)
1032 (97%)

1032 (96%)

korgo (100%)
padobot (100%)
lsabot (98%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7d99b0... (49%)
a0139d... (8%)
3ae357... (8%)
1fcc14... (5%)

full list

...Microsoft\Wireless (100%)

full list

AUG-SEP-B

503

Win2K-f (75%)
WinXP (25%)

445 (99%)

44445 (100%)
135 (76%)
500 (76%)
1026 (76%)

1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:5001684 (97%)
1:2001683 (96%)
1:2000046 (75%)

full list

68 (68%)

44445 (99%)

sdbot (97%)
spybot (97%)
rbot (97%)
mybot (91%)
sdbo (90%)

MSMSGS.EXE (31%)

random 9
character filename

Abort (76%)

random 17
character filename

7fdfe3... (67%)
None (22%)

full list

...CurrentVersion\RunServices (99%)
...Microsoft\OLE (99%)
...InternetSettings\5.0 (67%)
...InternetSettings\Connections (67%)

full list

exec=resource32w.exe (99%)
user=a (99%)
pass=a (98%)
server=WinFtpd 1.2 (94%)

*@celestial.org (94%)

AUG-SEP-C

481

WinXP (55%)
Win2K-f (45%)

445 (89%)
139 (10%)

113 (68%)
135 (53%)
500 (53%)
1026 (53%)

1:1390 (100%)
1:99998 (100%)
1:5001684 (93%)
1:2001683 (91%)
1:2001944 (89%)
1:3000006 (88%)

full list

445 (88%)
74 (49%)
68 (42%)

vipre (90%)
sdbot (78%)
sheur (48%)
heur (39%)
rbot (37%)
spybot (35%)

full list

MSMSGS.EXE (57%)

random 8/9/10
character filename

o (97%)

None (10%)

...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (44%)
...Microsoft\OLE (30%)
...CurrentVersion\Run (30%)

full list

user=1 (100%)
pass=1 (100%)
server=StnyFtpd 0wns j0 (72%)

*@admin.com (98%)
paypal.com (79%)
PAYPAL.COM (77%)
de.yahoo.com (77%)
nitro.ucsc.edu (77%)
reconnect.in (77%)

full list

AUG-SEP-D

311

Win2K-f (100%)

445 (65%)
139 (35%)

135 (100%)
500 (100%)
1026 (100%)
1027 (96%)

1:3000003 (95%)
1:99913 (95%)
1:5001684 (92%)
1:2466 (65%)

1028 (88%)

1028 (95%)

ircbot (100%)
delbot (98%)
nirbot (98%)
rinbot (98%)
sdbot (98%)
rbot (77%)

full list

ntvdm.exe (58%)

a0a7e8... (46%)
None (21%)
a7c70c... (10%)
cefc8f... (7%)
5777cb... (6%)

full list

...InternetSettings\5.0 (100%)
...InternetSettings\Connections (99%)
...Microsoft\DownloadManager (97%)

full list

pass=1 (100%)
user=1 (100%)
server=fuckFtpd 0wns j0 (85%)
exec=Tilecomfree.com (38%)
exec=MSNGR32.com (31%)

UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)

full list

AUG-SEP-E

274

WinXP (100%)

445 (100%)

113 (99%)
3067 (99%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
555:5555005 (99%)
1:2001569 (98%)

full list

445 (98%)
1032 (96%)

1032 (78%)
1054 (26%)

korgo (100%)
padobot (100%)
ircbot (72%)
sdbot (72%)
lsabot (26%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7f6016... (70%)
32a0d7... (6%)
042774... (5%)

full list

...Microsoft\Wireless (100%)

full list

brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)

full list

AUG-SEP-F

WinXP (100%)

445 (97%)

44445 (93%)

1:99913 (98%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:3000004 (88%)
1:5001684 (64%)

full list

74 (52%)

44445 (88%)

MSMSGS.EXE (100%)

index.dat (100%)
resource32w.exe (69%)

None (98%)

user=a (97%)
pass=a (94%)
exec=resource32w.exe (90%)
server=WinFtpd 1.2 (80%)
destport=1025 (38%)

AUG-SEP-G

WinXP (100%)

445 (98%)

80 (96%)

1:5001684 (100%)
1:2001683 (99%)
1:2000032 (98%)
1:2000033 (98%)
1:2466 (98%)
1:3000000 (98%)

full list

1032 (93%)

80 (88%)

padobot (100%)
berbew (99%)
berkor (99%)
doxpar (99%)
korgo (95%)
padodor (81%)

MSMSGS.EXE (100%)

DCPROMO.LOG (99%)
index.dat (99%)
ndisrd.sys (99%)

random 6/8
character filename

a12cab... (75%)
df17a6... (8%)

full list

...ActivatingDocument\.Current (96%)
...CurrentVersion\InternetSettings (96%)
...FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN (96%)
...InternetSettings\Zones (96%)
...Main\FeatureControl (96%)
...Microsoft\Windows (96%)

full list

pass=1 (100%)
user=1 (100%)

53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)

full list

AUG-SEP-H

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)
44445 (100%)

1:2000032 (100%)
1:2000046 (100%)
1:2466 (100%)
1:3000004 (100%)
1:99906 (100%)

44445 (100%)

None (100%)

user=a (100%)
pass=a (88%)
server=WinFtpd 1.2 (76%)
exec=resource32w.exe (65%)

AUG-SEP-K

WinXP (83%)

445 (43%)
135 (30%)
1034 (26%)

9996 (46%)

1:99913 (94%)
1:2466 (66%)
1:5001684 (57%)
555:5555005 (47%)
1:2001683 (45%)
1:2000047 (38%)

full list

445 (40%)
1032 (38%)
9996 (38%)

poebot (31%)
jobaka (28%)
korgo (28%)
lsabot (28%)
padobot (28%)
muldrop (22%)

full list

MSMSGS.EXE (83%)

random 6/7/8
character filename

index.dat (72%)
ftpupd.exe (28%)

random 6/8
character filename

None (19%)
7d99b0... (13%)
831f4e... (11%)
1a2c0e... (9%)
2aa59b... (9%)
a39875... (6%)

full list

...Microsoft\Wireless (60%)
...InternetSettings\5.0 (27%)
...InternetSettings\Connections (27%)

full list

user=anonymous (71%)
pass=bin (62%)
server=OK (50%)
destport=1025 (33%)

AUG-SEP-I

WinXP (100%)

445 (100%)

1033 (48%)
113 (31%)

1:2001683 (100%)
1:5001684 (100%)
1:2000032 (84%)
1:2000033 (84%)
1:2466 (84%)
1:3000000 (84%)

full list

445 (94%)
1032 (77%)

1032 (77%)

virut (100%)
vipre (92%)
virutas (92%)
korgo (85%)
gen33 (77%)
padobot (77%)

full list

MSMSGS.EXE (100%)

random 6/8
character filename

HelpCtr.exe (87%)
HelpHost.exe (87%)
HelpSvc.exe (87%)
NOTEPAD.EXE (87%)
UploadM.exe (87%)
accwiz.exe (87%)

full list

999e33... (13%)
175328... (6%)
388123... (6%)
4daafe... (6%)
628df4... (6%)
6df73d... (6%)

full list

...Microsoft\Wireless (83%)

full list

pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)
exec=sertys.exe (60%)
destIP=130.107.209.120 (40%)
destIP=130.107.227.96 (40%)

full list

*@admin.com (50%)
PAYPAL.COM (50%)
broadway.ny.us.dal.net (50%)
brussels.be.eu.undernet.o... (50%)
caen.fr.eu.undernet.org (50%)
ced.dal.net (50%)

full list

AUG-SEP-L

WinXP (100%)

445 (100%)

1032 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000003 (92%)
1:2001683 (80%)

full list

1032 (84%)

1032 (92%)

MSMSGS.EXE (100%)

ftpupd.exe (100%)
index.dat (100%)

None (96%)

AUG-SEP-J

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

1032 (100%)
445 (91%)

1032 (100%)
1062 (27%)

korgo (100%)
lsabot (100%)
padobot (100%)
parite (91%)
pinfi (91%)
win32_parite_b (91%)

full list

MSMSGS.EXE (100%)

ftpupd.exe (100%)

random 4
character filename

736531... (50%)
0a944c... (9%)
528766... (9%)
651382... (9%)
95b642... (9%)

full list

...Microsoft\Wireless (100%)

full list

AUG-SEP-M

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:99998 (100%)
1:3003 (83%)

445 (100%)

None (100%)

user=1 (100%)
pass=1 (67%)
server=StnyFtpd 0wns j0 (67%)