Pattern G

160 samples (mostly WinXP)

Ports
Infection Listen Egg-download Upload
mostly 445 80 (99%) 1031 (98%) 80 (94%)

Filenames
Processes Executables
MSMSGS.EXE (99%) ndisrd.sys (99%)
index.dat (95%)
DCPROMO.LOG (94%)
random 6/7/8 character filename

Registry keys
HKEY_USERS@...InternetSettings\Zones (99%)
HKEY_USERS@...Zones\0 (99%)
HKEY_USERS@...Zones\1 (99%)
HKEY_USERS@...Zones\2 (99%)
HKEY_USERS@...Zones\3 (99%)
HKEY_USERS@...Zones\4 (99%)
HKEY_LOCAL_MACHINE@...CurrentVersion\InternetSettings (99%)
HKEY_LOCAL_MACHINE@...InternetSettings\Zones (99%)
HKEY_LOCAL_MACHINE@...Windows\CurrentVersion (99%)
HKEY_LOCAL_MACHINE@...Zones\0 (99%)

Snort IDs
1:99913 (99%)
1:2000032 (98%)
1:2001683 (98%)
1:2000033 (97%)
1:2466 (97%)
1:3000000 (97%)
1:5001684 (42%)

Static analysis
MD5 Antivirus labels
None (41%)
a12cab51ef99e98305668d189d0db147 (25%)
df17a625eec94cdcd4b1b7998c099d87 (8%) berbew (38%)
berkor (38%)
padobot (38%)
doxpar (36%)
hangup (36%)
korgo (34%)
padodor (26%)