Pattern H

Ports	Infection Listen Upload mostly 139, 445 or 135 500 (99%) 1026 (99%) 135 (92%) 1027 (91%) 1028 (88%)
Filenames	Processes ntvdm.exe (100%)
Registry keys	HKEY_USERS@...InternetSettings\5.0 (99%) HKEY_USERS@...InternetSettings\Connections (99%) HKEY_LOCAL_MACHINE@...Microsoft\DownloadManager (90%)
Snort IDs	1:99913 (98%) 1:3000003 (90%) 1:2466 (36%)
Network chatter	HTTP UA=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) (89%) version=1.0 (89%) filename=/zmon.exe (51%)
Static analysis	MD5 mostly None