66.225.219.7

Remote Host Port Number
204.0.5.40 80
204.0.5.41 80
204.0.5.48 80
204.0.5.50 80
204.0.5.51 80
204.0.5.59 80
207.38.101.12 80
216.178.38.103 80
216.178.38.168 80
63.135.86.30 80
66.225.219.7 1234 ircd here PASS xxx

JOIN #jakarta test
MODE NEW-[USA|00|P|03217] -ix
NICK NEW-[USA|00|P|03217]
USER XP-9813 * 0 :COMPUTERNAME
PONG irc.priv8net.com

* The data identified by the following URLs was then requested from the remote web server:
o http://c3.ac-images.myspacecdn.com/images02/98/s_7d804fe3797f4e9c8911be8dbf8e0f46.jpg
o http://c3.ac-images.myspacecdn.com/images01/64/s_dff724092994928f43a236a92b09334e.png
o http://c3.ac-images.myspacecdn.com/images02/147/s_9f39eba4e1bf49e180a6f3fed61ca8b6.jpg
o http://c3.ac-images.myspacecdn.com/images02/102/s_a545ce363d67470abfa260e72e2b7a86.jpg
o http://c3.ac-images.myspacecdn.com/images02/142/s_6ca675e895464a6cae84718817b5e766.jpg
o http://c3.ac-images.myspacecdn.com/images02/63/s_991dd714de5b49df9944f5ba951e3eda.jpg
o http://c3.ac-images.myspacecdn.com/images02/31/s_4c841f88c30c4c89ab3407e730d7d5ea.jpg
o http://c3.ac-images.myspacecdn.com/images02/141/s_29b513e0c897440c9edb93b5fd922706.jpg
o http://c3.ac-images.myspacecdn.com/images02/147/s_0104e468fb9844329b5217b0e68f26e2.jpg
o http://c3.ac-images.myspacecdn.com/images02/105/s_3611de3bc2984dfab13050a4d567147e.jpg
o http://c3.ac-images.myspacecdn.com/images02/143/s_c22cf1f4c2f54175b5b355e26069f8ee.jpg
o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://cache.fimservecdn.com/data/flash3.js
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://c1.ac-images.myspacecdn.com/images01/102/s_ddc893b17204cc0d12e118850916a588.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_284d01224fe244e6af988dfff3f0f47c.jpg
o http://c1.ac-images.myspacecdn.com/images02/146/s_14190b4d43fa41cc80137c8fb19d0f78.jpg
o http://c1.ac-images.myspacecdn.com/images02/86/s_6522de471645445bba027023e3cc67e0.jpg
o http://c1.ac-images.myspacecdn.com/images02/112/s_48324dac5b9041909bc02d7983e7a5a4.jpg
o http://c1.ac-images.myspacecdn.com/images02/117/s_727d12dcbbc14ae391e83fe07ed05d24.jpg
o http://c1.ac-images.myspacecdn.com/images02/148/s_3b5ee66ebdd4442486fb197c70a6e594.jpg
o http://c1.ac-images.myspacecdn.com/images02/121/s_dbed24c8a7ea44eebacf2f9a151f8c24.jpg
o http://c1.ac-images.myspacecdn.com/images02/125/s_3d5d8de91b4c4c5b9a237694c9f39274.jpg
o http://c1.ac-images.myspacecdn.com/images02/115/s_a993c3bb27704fe091cc064212ed132c.jpg
o http://c1.ac-images.myspacecdn.com/images02/135/s_749cfe2305ee4ccfbfb0216e790aeef8.jpg
o http://c1.ac-images.myspacecdn.com/images02/115/s_52489bb5c95d48ccaef2b0627226b7e8.jpg
o http://c1.ac-images.myspacecdn.com/images01/50/s_0e28c6e64e287ee775392b0b9d8666f4.jpg
o http://c2.ac-images.myspacecdn.com/images02/120/s_189c7be6609e4c2894f381a671270501.jpg
o http://c2.ac-images.myspacecdn.com/images02/120/s_c175b151319a4efba6764653ad7df315.jpg
o http://c2.ac-images.myspacecdn.com/images02/126/s_21d7c6f5a7614187ae4df657a3a696dd.jpg
o http://c2.ac-images.myspacecdn.com/images02/152/s_e5becf28addf4dcc8bc6e91cf6975a1d.jpg
o http://c2.ac-images.myspacecdn.com/images02/113/s_49ad1863664e45e1852abd0eecf19d29.jpg
o http://c2.ac-images.myspacecdn.com/images02/138/s_983c8a05b76f4098b2f4a90fa782bfbd.jpg
o http://js.myspacecdn.com/modules/common/static/js/msglobal_bikjy0bb.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/quickpost_qa31tnlg.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_xwrirr_5.js
o http://c4.ac-images.myspacecdn.com/images02/144/s_36ff4f196893406684dcb584795688bf.jpg
o http://c4.ac-images.myspacecdn.com/images02/146/s_6e4c5a33e6c44dbb95cede7590dd0dcf.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_fafd3033e42f4b528cb482a13ff53d3f.jpg
o http://c4.ac-images.myspacecdn.com/images02/145/s_4435ffc57d67405eb3d67d82ffb53da3.jpg
o http://c4.ac-images.myspacecdn.com/images02/124/s_6f5938c5f967428f8d715c38c4412ba3.jpg
o http://c4.ac-images.myspacecdn.com/images02/88/s_491bbdc2b3294f8e85502565f2be388b.jpg
o http://c4.ac-images.myspacecdn.com/images02/117/s_0965a93ebc104e77819d0d1bc3e14063.jpg
o http://c4.ac-images.myspacecdn.com/images02/77/s_49f7ee7464014eb5882bf66e7c63bcaf.jpg
o http://c4.ac-images.myspacecdn.com/images02/146/s_258f5b40696941bcbf35a818438ee3b3.jpg
o http://c4.ac-images.myspacecdn.com/images02/125/s_a79c129d1d214265a2b6d27baa442593.jpg
o http://afe.specificclick.net/AFECheg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=513376982
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=513376982
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ei0Xe8Lq3U.b0Gn0Ns8Mh3R/bnum=1274715855206
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ei0Xe8Lq3U.b0Gn0Ns8Mh3R/bnum=1274715855206
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://74.86.97.166/check.php

Other details

* The following ports were open in the system:

Port Protocol Process
1056 TCP infocard.exe (%Windir%infocard.exe)
1081 TCP infocard.exe (%Windir%infocard.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 125 248 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%infocard.exe
[file and pathname of the sample #1] 98 818 bytes MD5: 0x99FDA5B2630A0D67FA545D9D94D4727E
SHA-1: 0xC0ED8C16297884D092749251A56FB9518E8CEDE5 Worm:Win32/Pushbot.RY [Microsoft]
Trojan.Win32.SuspectCRC [Ikarus]
2 %Windir%mdll.dll 1 436 bytes MD5: 0xE07773ABDEA895796EC4F915C2D42DFB
SHA-1: 0x638360EC8DAA4BC268A8A7FF5E853AC1AAEC8197 (not available)
3 %Windir%wintybrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED (not available)

Categories: Uncategorized
Previous post
Next post