Pattern JUL-AUGB

576 samples (WinXP (55%)
Win2K-f (45%))

Ports
Infection Listen Egg-download
445 (89%) 113 (75%)
135 (51%)
500 (51%)
1026 (51%) 445 (89%)
68 (44%)
73 (43%)

Filenames
Processes Executables
MSMSGS.EXE (55%)

random 8/9/10
character filename o (100%)

Registry keys
...CurrentVersion\RunServices (100%)
...InternetSettings\5.0 (45%)
...Microsoft\OLE (33%)
...CurrentVersion\Run (30%)
full list

Snort IDs
1:5001684 (100%)
1:1390 (100%)
1:99998 (100%)
1:2001683 (96%)
1:2001944 (90%)
1:3003 (89%)
full list

Network chatter
FTP
pass=1 (100%)
user=1 (100%)
server=StnyFtpd 0wns j0 (67%)
exec=windservc.exe (28%)

Static analysis
MD5 Antivirus labels Domain
df2a3e... (9%)
817fcb... (7%)
full list
vipre (84%)
sdbot (68%)
sheur (42%)
rbot (38%)
ircbot (37%)
spybot (33%)
full list
*@admin.com (96%)
PAYPAL.COM (69%)
de.yahoo.com (69%)
nitro.ucsc.edu (69%)
paypal.com (69%)
reconnect.in (69%)
full list