Behavioral Pattern Analysis: 3701 samples, 23 behavioral profiles

Pattern

Number of
samples

Target OS

Infection port

Listen ports

Snort IDs

Egg-download
ports

Upload ports

Antivirus labels

Processes created

Executables modified

MD5 (packed)

Registry keys

FTP chatter

HTTP chatter

Domain names

JUL-AUGA

915

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)

full list

445 (98%)
1031 (58%)
1032 (42%)

1031 (58%)
1032 (42%)

korgo (100%)
padobot (100%)
lsabot (99%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7d99b0... (45%)
3ae357... (8%)
a0139d... (8%)
986b59... (6%)
d42c1c... (6%)

full list

...Microsoft\Wireless (100%)

full list

JUL-AUGB

576

WinXP (55%)
Win2K-f (45%)

445 (89%)

113 (75%)
135 (51%)
500 (51%)
1026 (51%)

1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (96%)
1:2001944 (90%)
1:3003 (89%)

full list

445 (89%)
68 (44%)
73 (43%)

vipre (84%)
sdbot (68%)
sheur (42%)
rbot (38%)
ircbot (37%)
spybot (33%)

full list

MSMSGS.EXE (55%)

random 8/9/10
character filename

o (100%)

df2a3e... (9%)
817fcb... (7%)

full list

...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (45%)
...Microsoft\OLE (33%)
...CurrentVersion\Run (30%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (67%)
exec=windservc.exe (28%)

*@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)

full list

JUL-AUGC

543

Win2K-f (100%)

445 (72%)
139 (27%)

135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
445 (37%)

1:3000003 (100%)
1:99913 (100%)
1:5001684 (87%)
1:2466 (73%)
1:2001683 (27%)

1028 (91%)

1028 (100%)

ircbot (100%)
sdbot (100%)
delbot (100%)
rinbot (100%)
nirbot (99%)
hupigon (69%)

full list

ntvdm.exe (100%)

a0a7e8... (39%)
None (21%)
a7c70c... (10%)
5777cb... (10%)
cefc8f... (9%)

full list

...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)

full list

UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)

full list

JUL-AUGE

356

Win2K-f (59%)
WinXP (41%)

445 (99%)

44445 (99%)
135 (59%)
500 (59%)
1026 (59%)

1:2000032 (99%)
1:2466 (99%)
1:3000004 (99%)
1:5001684 (97%)
1:2001683 (96%)
555:5555005 (77%)

full list

68 (57%)

44445 (98%)

sdbot (99%)
spybot (97%)
rbot (97%)
mybot (92%)
sdbo (90%)

MSMSGS.EXE (44%)

random 9
character filename

index.dat (64%)
resource32w.exe (62%)
Abort (26%)

random 17
character filename

7fdfe3... (69%)
None (21%)

full list

...CurrentVersion\RunServices (99%)
...Microsoft\OLE (98%)
...InternetSettings\5.0 (65%)
...InternetSettings\Connections (65%)

full list

exec=resource32w.exe (99%)
pass=a (98%)
user=a (98%)
server=WinFtpd 1.2 (95%)

*@celestial.org (100%)

JUL-AUGD

305

WinXP (100%)

445 (100%)

113 (93%)
3067 (92%)

1:2000032 (99%)
1:2000033 (99%)
1:2466 (99%)
1:99913 (99%)
1:2001683 (99%)
555:5555005 (97%)

full list

445 (97%)
1031 (58%)
1032 (42%)

1031 (47%)
1032 (36%)

korgo (99%)
padobot (99%)
ircbot (67%)
sdbot (67%)
lsabot (27%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (99%)

7f6016... (66%)
042774... (6%)

full list

...Microsoft\Wireless (99%)

full list

pass=1 (100%)
server=StnyFtpd 0wns j0 (100%)
user=1 (100%)

brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)

full list

JUL-AUGH

166

Win2K-f (99%)

445 (100%)

135 (99%)
500 (99%)
1026 (99%)
44445 (98%)
1027 (44%)
1028 (44%)

1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:2000046 (99%)
1:99906 (99%)
1:5001684 (28%)

full list

68 (25%)

44445 (98%)

biww (100%)
ircbot (100%)
mybot (100%)
rbot (100%)
robobot (100%)
spybot (100%)

full list

ftp.exe (93%)

None (98%)

user=a (97%)
pass=a (96%)
exec=resource32w.exe (94%)
server=WinFtpd 1.2 (87%)
destport=1028 (53%)

JUL-AUGF

149

WinXP (100%)

445 (81%)
139 (19%)

1032 (99%)
1033 (89%)

1:1390 (90%)
1:99998 (90%)
1:2001944 (71%)
1:3000006 (71%)
1:3003 (70%)

445 (71%)

sdbot (100%)
rbot (67%)

MSMSGS.EXE (100%)
ftp.exe (79%)

index.dat (100%)
o (86%)

None (98%)

pass=1 (100%)
user=1 (100%)
destport=1033 (87%)
server=StnyFtpd 0wns j0 (73%)
exec=Windows (38%)
destIP=10.2.32.214 (32%)

JUL-AUGG

114

WinXP (52%)
Win2K-f (48%)

445 (100%)

135 (85%)
500 (85%)
1026 (85%)

1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:3003 (99%)
1:3000006 (97%)
1:2001683 (94%)

full list

445 (97%)
68 (46%)
73 (44%)

sdbot (94%)
rbot (90%)
vipre (90%)
spybot (71%)
dnascan (69%)
mybot (62%)

full list

MSMSGS.EXE (69%)

random 10
character filename

o (100%)
index.dat (86%)
windservc.exe (27%)

None (54%)
d40063... (9%)
c4709f... (8%)
fc3e35... (7%)

full list

...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (38%)
...InternetSettings\5.0 (38%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (95%)

JUL-AUGJ

107

WinXP (100%)

445 (100%)

80 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:99913 (100%)

full list

1031 (70%)
1032 (30%)

80 (94%)

berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (95%)
padodor (71%)

full list

MSMSGS.EXE (100%)

ndisrd.sys (100%)
DCPROMO.LOG (98%)
index.dat (98%)

random 6/7/8
character filename

a12cab... (69%)
df17a6... (21%)

full list

...CurrentVersion\InternetSettings (100%)
...InternetSettings\Zones (100%)
...Windows\CurrentVersion (100%)
...Zones\0 (100%)
...Zones\1 (100%)
...Zones\2 (100%)

full list

53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)

full list

JUL-AUGI

Win2K-f (100%)

445 (84%)
139 (16%)

135 (100%)
500 (100%)
1026 (100%)
1027 (92%)
1028 (92%)

1:1390 (100%)
1:99998 (100%)
1:2001944 (84%)
1:3000006 (84%)
1:3003 (81%)

445 (84%)

ftp.exe (99%)

None (99%)

user=1 (100%)
pass=1 (99%)
destport=1028 (81%)
server=StnyFtpd 0wns j0 (80%)
destIP=10.2.32.201 (47%)
exec=Windows (39%)

JUL-AUGK

WinXP (100%)

445 (96%)

44445 (90%)
1032 (82%)
1033 (82%)

1:2000032 (91%)
1:2000033 (91%)
1:2466 (91%)
1:99913 (91%)
1:3000004 (89%)

44445 (88%)

MSMSGS.EXE (100%)
ftp.exe (79%)

index.dat (99%)
o (80%)

None (99%)

user=a (87%)
destport=1033 (85%)
pass=a (85%)
server=WinFtpd 1.2 (84%)
exec=resource32w.exe (82%)
destIP=10.2.32.214 (31%)

JUL-AUGQ

WinXP (65%)
Win2K-f (35%)

445 (88%)

135 (39%)
500 (39%)
1026 (39%)

1:5001684 (78%)
1:2001683 (67%)
1:2000032 (51%)
1:2466 (51%)
555:5555005 (51%)
1:99913 (45%)

full list

445 (69%)
1032 (33%)
1028 (29%)

sdbot (59%)
linkbot (48%)
rbot (43%)
poebot (37%)
korgo (30%)
lsabot (30%)

full list

MSMSGS.EXE (69%)

random 5/6/7/8/9
character filename

ftpupd.exe (48%)
index.dat (41%)
o (31%)

random 8
character filename

7d99b0... (16%)
2aa59b... (14%)
04af72... (6%)
0a0261... (6%)
7fdfe3... (6%)
97ac56... (6%)

full list

...Microsoft\Wireless (58%)
...CurrentVersion\RunServices (38%)

full list

server=- (67%)
pass=1 (61%)
user=1 (45%)
exec=resource32w.exe (36%)
pass=a (36%)
user=a (33%)

SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)
..�..�..Z..\��..��X... (43%)

full list

JUL-AUGR

WinXP (60%)
Win2K-f (40%)

445 (56%)
135 (29%)
139 (10%)

500 (42%)
1026 (42%)

1:99913 (100%)
1:5001684 (83%)
1:3000003 (67%)
1:2001683 (59%)
1:2466 (59%)
1:2000032 (54%)

full list

1032 (57%)
445 (48%)

1032 (52%)

korgo (58%)
padobot (58%)
lsabot (56%)
sdbot (33%)
ircbot (31%)
spybot (31%)

full list

MSMSGS.EXE (60%)
ntvdm.exe (38%)

random 5/6/7/8
character filename

ftpupd.exe (88%)

random 5/6/8
character filename

7d99b0... (23%)
None (21%)
5ddac0... (12%)
259613... (8%)

full list

...Microsoft\Wireless (52%)
...InternetSettings\5.0 (43%)
...InternetSettings\Connections (43%)
...Microsoft\SecurityCenter (26%)
...Microsoft\WindowsFirewall (26%)
...Software\Symantec (26%)

full list

UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)
sourceIP=194.204.177.59 (29%)

full list

.com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)

full list

JUL-AUGL

WinXP (95%)

445 (71%)
1033 (17%)
1034 (12%)

9996 (92%)
1032 (54%)
1033 (54%)
5554 (28%)

1:2466 (98%)
1:99913 (93%)
1:2000047 (88%)
1:3000004 (78%)
555:5555005 (32%)
1:2001056 (29%)

full list

9996 (88%)
445 (32%)

9996 (73%)

jobaka (85%)

MSMSGS.EXE (98%)
ftp.exe (52%)

random 7/8
character filename

index.dat (97%)
cmd.ftp (58%)
avserve2.exe (29%)

random 8
character filename

None (63%)
1a2c0e... (20%)
831f4e... (7%)

full list

...Reliability\UserDefined (50%)

full list

user=anonymous (95%)
pass=bin (89%)
server=OK (87%)
destport=1033 (55%)

JUL-AUGM

WinXP (100%)

445 (100%)

1:2001683 (100%)
1:5001684 (100%)
1:2000032 (97%)
1:2000033 (97%)
1:2466 (97%)
1:99913 (97%)

full list

445 (86%)
1031 (66%)
1032 (31%)

1031 (66%)
1032 (26%)

korgo (97%)
parite (97%)
pinfi (97%)
lsabot (86%)
padobot (83%)
win32_parite_b (71%)

full list

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (97%)

random 4/5/6/7/8
character filename

736531... (46%)
86d186... (11%)
199fd8... (6%)
2edcd6... (6%)

full list

...Microsoft\Wireless (97%)

full list

JUL-AUGN

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)

445 (100%)

None (100%)

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (62%)
exec=windservc.exe (25%)
server=NzmxFtpd 0wns j0 (25%)

JUL-AUGO

WinXP (100%)

445 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)

445 (100%)

MSMSGS.EXE (100%)

index.dat (94%)
o (82%)

None (94%)

JUL-AUGP

WinXP (100%)

445 (100%)

1031 (53%)
44445 (47%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (53%)
1:5001684 (53%)

full list

1031 (53%)

44445 (47%)

MSMSGS.EXE (100%)

index.dat (100%)
ftpupd.exe (53%)

None (93%)

JUL-AUGU

WinXP (54%)
Win2K-f (46%)

445 (100%)

113 (50%)

1:2001683 (100%)
1:5001684 (100%)
1:2000032 (92%)
1:2466 (92%)
1:3000003 (77%)
555:5555005 (77%)

full list

445 (54%)
1028 (38%)
1032 (31%)

44445 (38%)
1032 (31%)

bobax (83%)
bobic (67%)
vipre (58%)
korgo (50%)
lsabot (50%)
padobot (50%)

full list

MSMSGS.EXE (75%)

ftpupd.exe (100%)

7c0547... (15%)

full list

...Microsoft\Wireless (75%)

full list

exec=resource32w.exe (83%)
pass=a (83%)
server=- (83%)
user=a (50%)

SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)

full list

JUL-AUGS

WinXP (92%)

445 (100%)

1031 (92%)

1:2000032 (92%)
1:2000033 (92%)
1:2466 (92%)
1:3000003 (92%)
1:99913 (92%)

1031 (92%)

MSMSGS.EXE (92%)

None (92%)

JUL-AUGT

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001569 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)

full list

445 (100%)
1031 (100%)

1031 (100%)

MSMSGS.EXE (100%)

ftpupd.exe (100%)

None (33%)

...Microsoft\Wireless (100%)

full list

JUL-AUGW

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000003 (100%)
1:99913 (100%)

1031 (100%)

MSMSGS.EXE (100%)

None (100%)

JUL-AUGV

WinXP (100%)

445 (100%)

1031 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

1031 (100%)

MSMSGS.EXE (100%)

None (83%)