Behavioral Pattern Analysis: 2436 samples, 23 behavioral profiles

Pattern

Number of
samples

Target OS

Infection port

Listen ports

Snort IDs

Egg-download
ports

Upload ports

Antivirus labels

Processes created

Executables modified

MD5 (packed)

Registry keys

FTP chatter

HTTP chatter

Domain names

JULYA

514

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)
1:99913 (100%)

full list

1031 (100%)
445 (98%)

1031 (100%)

korgo (100%)
padobot (100%)
lsabot (99%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 5/6/7/8
character filename

7d99b0... (39%)
3ae357... (9%)
986b59... (8%)
a0139d... (8%)
d42c1c... (7%)

full list

...Microsoft\Wireless (100%)

full list

JULYB

446

WinXP (57%)
Win2K-f (43%)

445 (86%)
139 (12%)

113 (74%)
135 (51%)
500 (51%)
1026 (51%)

1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (94%)
1:2001944 (88%)
1:3003 (87%)

full list

445 (86%)
73 (55%)
68 (43%)

vipre (81%)
sdbot (66%)
sheur (40%)
rbot (40%)
ircbot (39%)
spybot (34%)

full list

MSMSGS.EXE (57%)

random 8/9/10
character filename

o (100%)

df2a3e... (11%)
817fcb... (9%)

full list

...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (43%)
...Microsoft\OLE (37%)
...CurrentVersion\Run (28%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (63%)
exec=windservc.exe (30%)
server=NzmxFtpd 0wns j0 (25%)

*@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)

full list

JULYC

402

Win2K-f (100%)

445 (73%)
139 (27%)

135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
445 (41%)

1:3000003 (100%)
1:99913 (100%)
1:5001684 (83%)
1:2466 (74%)
1:2001683 (28%)

1028 (88%)

1028 (100%)

ircbot (100%)
sdbot (100%)
delbot (99%)
rinbot (99%)
nirbot (99%)
hupigon (67%)

full list

ntvdm.exe (100%)

a0a7e8... (35%)
None (23%)
5777cb... (11%)
a7c70c... (10%)
cefc8f... (9%)

full list

...Microsoft\DownloadManager (100%)
...InternetSettings\5.0 (100%)
...InternetSettings\Connections (100%)

full list

UA=Mozilla/4.0 (compatibl... (100%)
filename=/zmon.exe (100%)
version=1.0 (100%)

full list

JULYD

171

WinXP (100%)

445 (100%)

113 (95%)
3067 (95%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (99%)
555:5555005 (98%)

full list

1031 (100%)
445 (97%)

1031 (81%)

korgo (100%)
padobot (100%)
ircbot (68%)
sdbot (68%)
lsabot (28%)

MSMSGS.EXE (100%)

random 5/6/7/8
character filename

ftpupd.exe (100%)

random 7/8
character filename

7f6016... (68%)
042774... (7%)

full list

...Microsoft\Wireless (100%)

full list

brussels.be.eu.undernet.o... (100%)
caen.fr.eu.undernet.org (100%)
flanders.be.eu.undernet.o... (100%)
gaspode.zanet.org.za (100%)
graz.at.eu.undernet.org (100%)
lia.zanet.net (100%)

full list

JULYE

168

Win2K-f (61%)
WinXP (39%)

445 (100%)

44445 (100%)
135 (60%)
500 (60%)
1026 (60%)

1:2000032 (100%)
1:2466 (100%)
1:3000004 (100%)
1:5001684 (98%)
1:2001683 (95%)
555:5555005 (71%)

full list

68 (57%)
73 (36%)

44445 (100%)

sdbot (99%)
spybot (97%)
rbot (97%)
mybot (92%)
sdbo (88%)

MSMSGS.EXE (47%)

random 9
character filename

index.dat (62%)
resource32w.exe (59%)
Abort (32%)

7fdfe3... (61%)
None (28%)

full list

...CurrentVersion\RunServices (100%)
...Microsoft\OLE (99%)
...InternetSettings\5.0 (62%)
...InternetSettings\Connections (62%)

full list

exec=resource32w.exe (99%)
pass=a (98%)
user=a (98%)
server=WinFtpd 1.2 (93%)

*@celestial.org (100%)

JULYF

128

WinXP (100%)

445 (78%)
139 (21%)

1032 (99%)
1033 (99%)

1:1390 (99%)
1:99998 (99%)
1:2001944 (78%)
1:3000006 (78%)
1:3003 (78%)

445 (78%)

sdbot (100%)

MSMSGS.EXE (100%)
ftp.exe (92%)

index.dat (100%)
o (88%)

None (98%)

pass=1 (100%)
user=1 (100%)
destport=1033 (90%)
server=StnyFtpd 0wns j0 (73%)
exec=Windows (39%)
destIP=10.2.32.214 (33%)

JULYG

109

WinXP (52%)
Win2K-f (48%)

445 (100%)

135 (85%)
500 (85%)
1026 (85%)

1:1390 (100%)
1:2001944 (100%)
1:99998 (100%)
1:3003 (99%)
1:3000006 (97%)
1:2001683 (94%)

full list

445 (97%)
68 (47%)
73 (46%)

sdbot (94%)
rbot (90%)
vipre (90%)
dnascan (71%)
spybot (71%)
mybot (63%)

full list

MSMSGS.EXE (70%)

random 10
character filename

o (100%)
index.dat (88%)
windservc.exe (28%)

None (55%)
d40063... (9%)
c4709f... (8%)
fc3e35... (6%)

full list

...CurrentVersion\RunServices (100%)
...CurrentVersion\Run (36%)
...InternetSettings\5.0 (36%)

full list

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (94%)

JULYH

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)
44445 (99%)
1027 (79%)
1028 (79%)

1:2000032 (100%)
1:2000046 (100%)
1:2466 (100%)
1:3000004 (100%)
1:99906 (100%)

44445 (99%)

ftp.exe (100%)

None (100%)

exec=resource32w.exe (99%)
user=a (99%)
pass=a (97%)
destport=1028 (91%)
server=WinFtpd 1.2 (91%)
destIP=10.2.32.203 (35%)

full list

JULYI

Win2K-f (100%)

445 (84%)
139 (16%)

135 (100%)
500 (100%)
1026 (100%)
1027 (100%)
1028 (100%)

1:1390 (100%)
1:99998 (100%)
1:2001944 (84%)
1:3000006 (84%)
1:3003 (82%)

445 (84%)

ftp.exe (100%)

None (100%)

pass=1 (100%)
user=1 (100%)
destport=1028 (88%)
server=StnyFtpd 0wns j0 (81%)
destIP=10.2.32.201 (51%)
exec=Windows (42%)

JULYJ

WinXP (100%)

445 (100%)

80 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:99913 (100%)

full list

1031 (100%)

80 (96%)

berbew (100%)
berkor (100%)
doxpar (100%)
padobot (100%)
korgo (96%)
padodor (66%)

full list

MSMSGS.EXE (100%)

ndisrd.sys (100%)
DCPROMO.LOG (97%)
index.dat (97%)

random 6/7/8
character filename

a12cab... (64%)
df17a6... (26%)

full list

...CurrentVersion\InternetSettings (100%)
...InternetSettings\Zones (100%)
...Windows\CurrentVersion (100%)
...Zones\0 (100%)
...Zones\1 (100%)
...Zones\2 (100%)

full list

53bank.com (100%)
acrolein-hawk.rubanking.h... (100%)
alfabank.ru (100%)
asmworm.com (100%)
atmacasoft.com (100%)
barclays.com (100%)

full list

JULYK

WinXP (100%)

445 (95%)

1032 (97%)
1033 (97%)
44445 (88%)

1:3000004 (92%)
1:2000032 (90%)
1:2000033 (90%)
1:2466 (90%)
1:99913 (90%)

44445 (90%)

MSMSGS.EXE (100%)
ftp.exe (97%)

index.dat (100%)
o (95%)

None (100%)

destport=1033 (95%)
pass=a (88%)
user=a (88%)
exec=resource32w.exe (87%)
server=WinFtpd 1.2 (85%)
destIP=10.2.32.214 (35%)

full list

JULYL

WinXP (100%)

445 (76%)
1033 (24%)

9996 (100%)
1032 (72%)
1033 (72%)

1:2000047 (100%)
1:2466 (100%)
1:99913 (100%)
1:3000004 (90%)

9996 (100%)

9996 (90%)

jobaka (100%)

MSMSGS.EXE (100%)
ftp.exe (72%)

random 8
character filename

index.dat (100%)
cmd.ftp (72%)

random 8
character filename

None (76%)
1a2c0e... (21%)

full list

user=anonymous (100%)
pass=bin (97%)
server=OK (97%)
destport=1033 (72%)
destIP=10.2.32.214 (28%)

JULYM

WinXP (100%)

445 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2001683 (100%)
1:2466 (100%)
1:3000000 (100%)
1:3000003 (100%)

full list

1031 (100%)
445 (82%)

1031 (100%)
1058 (27%)

korgo (100%)
parite (100%)
pinfi (100%)
lsabot (91%)
padobot (77%)
win32_parite_b (68%)

full list

MSMSGS.EXE (100%)

random 5/6/7
character filename

ftpupd.exe (100%)

random 4/5/6/7
character filename

736531... (50%)
86d186... (18%)
199fd8... (9%)

full list

...Microsoft\Wireless (100%)

full list

JULYN

Win2K-f (100%)

445 (100%)

135 (100%)
500 (100%)
1026 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)

445 (100%)

None (100%)

pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (62%)
exec=windservc.exe (25%)
server=NzmxFtpd 0wns j0 (25%)

JULYO

WinXP (100%)

445 (100%)

1:1390 (100%)
1:2001944 (100%)
1:3000006 (100%)
1:3003 (100%)
1:99998 (100%)

445 (100%)

MSMSGS.EXE (100%)

index.dat (100%)
o (81%)

None (100%)

JULYP

WinXP (100%)

445 (100%)

1031 (53%)
44445 (47%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:99913 (100%)
1:2001683 (53%)
1:5001684 (53%)

full list

1031 (53%)

44445 (47%)

MSMSGS.EXE (100%)

index.dat (100%)
ftpupd.exe (53%)

None (93%)

JULYQ

WinXP (54%)
Win2K-f (46%)

445 (92%)

69 (75%)
135 (75%)
500 (75%)
1026 (75%)
1030 (62%)
1168 (62%)

full list

1:1390 (85%)
1:99998 (85%)
1:2001944 (77%)
1:3000006 (77%)
1:5001684 (77%)
1:3003 (69%)

full list

445 (77%)
1033 (54%)
1028 (46%)
135 (38%)

1030 (38%)
1034 (31%)

linkbot (100%)
sdbot (92%)
ircbot (69%)
poebot (69%)
rbot (62%)
ircbrute (46%)

full list

MSMSGS.EXE (54%)

index.dat (100%)
o (71%)

04af72... (23%)
2aa59b... (15%)
6f4858... (15%)
97ac56... (15%)

full list

server=- (100%)
pass=1 (85%)
user=1 (46%)

SOFTWARE\Classes\Applicat... (100%)
paypal.com (100%)
..�..�..Z..\��..��X... (43%)

full list

JULYR

Win2K-f (91%)

135 (91%)

500 (91%)
1026 (91%)

1:5001684 (100%)
1:99913 (100%)

1027 (100%)

ircbot (91%)
petribot (91%)
sdbot (91%)
spybot (91%)
tilebot (91%)
generic5 (55%)

full list

ntvdm.exe (100%)

5ddac0... (55%)
259613... (36%)

full list

...Microsoft\SecurityCenter (100%)
...Microsoft\WindowsFirewall (100%)
...Software\Symantec (100%)
...Symantec\LiveUpdateAdmin (100%)
...WindowsFirewall\DomainProfile (100%)
...WindowsFirewall\StandardProfile (100%)

full list

.com (100%)
.net (100%)
.org (100%)
.ru (100%)
http://tn0828-web.hp.info... (100%)
http://www.anonymitytest.... (100%)

full list

JULYS

WinXP (100%)

445 (100%)

1031 (100%)

1:2000032 (100%)
1:2000033 (100%)
1:2466 (100%)
1:3000003 (100%)
1:99913 (100%)

1031 (100%)

MSMSGS.EXE (100%)

None (100%)

JULYT