Pattern C

787 samples (mostly WinXP)


Ports
InfectionListenEgg-download
usually 4451032 (76%)
1033 (76%)		445 (41%)
Filenames
ProcessesExecutables
MSMSGS.EXE (100%)
ftp.exe (76%)		index.dat (100%)
o (71%)
Snort IDs
1:99913 (51%)
1:2466 (50%)
1:1390 (49%)
1:99998 (49%)
1:3000004 (47%)
1:2001944 (40%)
1:3000006 (40%)
1:3003 (39%)
1:2000032 (34%)
1:2000033 (34%)
Network chatter
FTP
destport=1033 (75%)
pass=1 (46%)
user=1 (46%)
server=StnyFtpd 0wns j0 (37%)
Static analysis
MD5
mostly None