| Pattern | Number of
samples | Target OS | Infection port | Listen ports | Snort IDs | Egg-download
ports | Upload ports | Antivirus labels | Processes created | Executables modified | MD5 (packed) | Registry keys | FTP chatter | HTTP chatter | Domain names |
| AUGUST-A | 447 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)full list | 445 (99%)
1032 (96%) | 1032 (96%) | korgo (100%)
padobot (100%)
lsabot (98%) | MSMSGS.EXE (100%)
random 5/6/7/8
character filename | ftpupd.exe (100%)
random 5/6/7/8
character filename | 7d99b0... (52%)
a0139d... (7%)
3ae357... (6%)full list | ...Microsoft\Wireless (100%) full list | - | - | - |
| AUGUST-B | 211 | Win2K-f (75%)
WinXP (25%) | 445 (99%) | 44445 (100%)
135 (76%)
500 (76%)
1026 (76%) | 1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:5001684 (100%)
1:2001683 (98%)
1:2000046 (75%)full list | 68 (71%) | 44445 (100%) | sdbot (98%)
spybot (98%)
rbot (97%)
mybot (91%)
sdbo (90%) | MSMSGS.EXE (31%)
random 9
character filename | Abort (78%)
random 17
character filename | 7fdfe3... (69%)
None (21%)full list | ...CurrentVersion\RunServices (99%)
...Microsoft\OLE (99%)
...InternetSettings\5.0 (68%)
...InternetSettings\Connections (68%)full list | exec=resource32w.exe (100%)
pass=a (99%)
user=a (99%)
server=WinFtpd 1.2 (96%) | - | *@celestial.org (94%) |
| AUGUST-C | 158 | WinXP (52%)
Win2K-f (48%) | 445 (98%) | 113 (78%)
135 (54%)
500 (54%)
1026 (54%) | 1:1390 (100%)
1:99998 (100%)
1:2001944 (99%)
1:2001683 (98%)
1:3000006 (97%)
1:5001684 (97%)full list | 445 (97%)
74 (47%)
68 (46%) | - | vipre (93%)
sdbot (82%)
sheur (52%)
heur (41%)
spybot (36%)
rbot (34%)full list | MSMSGS.EXE (53%)
random 6/8/9/10
character filename | o (99%) | 2f965d... (5%) full list | ...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (48%)
...CurrentVersion\Run (35%)full list | pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (80%) | - | *@admin.com (98%)
paypal.com (79%)
PAYPAL.COM (77%)
de.yahoo.com (77%)
nitro.ucsc.edu (77%)
reconnect.in (77%)full list |
| AUGUST-D | 148 | Win2K-f (100%) | 445 (68%)
139 (32%) | 135 (100%)
500 (100%)
1026 (100%)
1027 (100%) | 1:3000003 (100%)
1:99913 (100%)
1:5001684 (92%)
1:2466 (68%) | 1028 (92%) | 1028 (100%) | delbot (100%)
ircbot (100%)
nirbot (100%)
rinbot (100%)
sdbot (100%)
hupigon (76%)full list | ntvdm.exe (100%) | - | a0a7e8... (49%)
None (20%)
a7c70c... (11%)
cefc8f... (7%)
5777cb... (7%)full list | ...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)full list | - | UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)full list | - |
| AUGUST-E | 117 | WinXP (100%) | 445 (100%) | 113 (99%)
3067 (99%) | 1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001569 (99%)
555:5555005 (99%)full list | 445 (99%)
1032 (96%) | 1032 (76%) | korgo (100%)
padobot (100%)
ircbot (72%)
sdbot (72%)
lsabot (26%) | MSMSGS.EXE (100%)
random 5/6/7/8
character filename | ftpupd.exe (100%)
random 5/6/7/8
character filename | 7f6016... (72%)
32a0d7... (7%)
042774... (5%)full list | ...Microsoft\Wireless (100%) full list | - | - | brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)full list |
| AUGUST-F | 37 | WinXP (100%) | 445 (97%) | 44445 (97%) | 1:99913 (100%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:3000004 (95%)
1:5001684 (70%)full list | 74 (57%) | 44445 (95%) | - | MSMSGS.EXE (100%) | index.dat (100%)
resource32w.exe (73%) | None (100%) | - | user=a (100%)
pass=a (97%)
exec=resource32w.exe (93%)
server=WinFtpd 1.2 (83%)
destport=1025 (40%) | - | - |
| AUGUST-G | 34 | WinXP (100%) | 445 (100%) | 80 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:5001684 (100%)full list | 1032 (94%) | 80 (91%) | berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (94%)
padodor (79%) | MSMSGS.EXE (100%) | DCPROMO.LOG (100%)
index.dat (100%)
ndisrd.sys (100%)
random 6/7/8
character filename | a12cab... (79%)
df17a6... (9%)full list | ...ActivatingDocument\.Current (100%)
...CurrentVersion\InternetSettings (100%)
...FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN (100%)
...InternetSettings\Zones (100%)
...Main\FeatureControl (100%)
...Microsoft\Windows (100%)full list | - | - | 53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)full list |
| AUGUST-H | 30 | Win2K-f (100%) | 445 (100%) | 135 (100%)
500 (100%)
1026 (100%)
44445 (100%) | 1:2000032 (100%)
1:2000046 (100%)
1:2466 (100%)
1:3000004 (100%)
1:99906 (100%) | - | 44445 (100%) | - | - | - | None (100%) | - | user=a (100%)
pass=a (91%)
server=WinFtpd 1.2 (73%)
exec=resource32w.exe (64%) | - | - |
| AUGUST-I | 11 | WinXP (100%) | 445 (100%) | 1033 (50%)
113 (40%) | 1:2001683 (100%)
1:5001684 (100%)
1:2000032 (82%)
1:2000033 (82%)
1:2466 (82%)
1:3000000 (82%)full list | 445 (91%)
1032 (73%) | 1032 (73%)
1061 (27%) | virut (100%)
vipre (91%)
virutas (91%)
korgo (82%)
gen33 (73%)
padobot (73%)full list | MSMSGS.EXE (100%)
random 6
character filename | HelpCtr.exe (100%)
HelpHost.exe (100%)
HelpSvc.exe (100%)
NOTEPAD.EXE (100%)
UploadM.exe (100%)
accwiz.exe (100%)full list | - | ...Microsoft\Wireless (80%) full list | pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%) | - | *@admin.com (50%)
PAYPAL.COM (50%)
broadway.ny.us.dal.net (50%)
brussels.be.eu.undernet.o... (50%)
caen.fr.eu.undernet.org (50%)
ced.dal.net (50%)full list |
| AUGUST-J | 9 | WinXP (100%) | 445 (100%) | - | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)full list | 1032 (100%)
445 (89%) | 1032 (100%)
1062 (33%) | korgo (100%)
lsabot (100%)
padobot (100%)
parite (100%)
pinfi (100%)
win32_parite_b (100%)full list | MSMSGS.EXE (100%) | ftpupd.exe (100%)
random 4
character filename | 736531... (56%) full list | ...Microsoft\Wireless (100%) full list | - | - | - |
| AUGUST-K | 8 | WinXP (100%) | 1034 (62%)
445 (25%) | 9996 (88%)
5554 (50%)
445 (38%)
1028 (25%)
1842 (25%)
1844 (25%)full list | 1:99913 (100%)
1:2000047 (88%)
1:2466 (88%)
1:2001056 (62%)
1:2001569 (50%)
1:3000004 (50%)full list | 9996 (88%)
445 (50%) | 9996 (50%)
1083 (25%) | jobaka (67%)
bbju (33%)
injeven (33%)
poebot (33%)
rizo (33%) | MSMSGS.EXE (100%)
random 8
character filename | index.dat (100%)
avserve2.exe (50%) | 1a2c0e... (25%)
831f4e... (25%)
None (25%)full list | - | user=anonymous (100%)
pass=bin (86%)
server=OK (71%)
destport=1025 (29%) | - | - |
| AUGUST-L | 7 | WinXP (100%) | 445 (100%) | 1032 (100%) | 1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)full list | 1032 (100%) | 1032 (100%) | - | MSMSGS.EXE (100%) | - | None (100%) | - | - | - | - |
| AUGUST-M | 6 | Win2K-f (100%) | 445 (100%) | 135 (100%)
500 (100%)
1026 (100%) | 1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:99998 (100%)
1:3003 (83%) | 445 (100%) | - | - | - | - | None (100%) | - | user=1 (100%)
pass=1 (67%)
server=StnyFtpd 0wns j0 (67%) | - | - |