66.225.241.182

By Pig, July 30, 2010

Remote Host Port Number
204.0.5.41 80
204.0.5.48 80
204.0.5.56 80
204.0.5.58 80
216.178.38.168 80
63.135.80.58 80
63.135.86.21 80
63.135.86.30 80
63.215.202.6 80
64.208.138.218 80
66.225.241.182 2345 PASS xxx

NICK NEW-[USA|00|P|20395]
USER XP-6912 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|20395] -ix
JOIN #!gf! test
PONG 22 MOTD
JOIN #USA

* The data identified by the following URLs was then requested from the remote web server:
o http://c2.ac-images.myspacecdn.com/images02/62/s_0644a0fa208843d99ba3052f4b5b1e2d.jpg
o http://c2.ac-images.myspacecdn.com/images02/119/s_3833714430eb4bb0b0b16b01e681eea1.jpg
o http://c2.ac-images.myspacecdn.com/images02/101/s_8fcfc0c9890745f188d56ee3fa7b15e1.png
o http://c2.ac-images.myspacecdn.com/images02/142/s_5a6197be2bc845eba5fa84125e03a54d.jpg
o http://c2.ac-images.myspacecdn.com/images02/148/s_cc021bff41b94642bc1e9423212f57fd.jpg
o http://c2.ac-images.myspacecdn.com/images02/116/s_545ae57a68b44e299b304677dc257a71.jpg
o http://c2.ac-images.myspacecdn.com/images02/100/s_01814ee89e8241c59118b5f1de3001dd.jpg
o http://c2.ac-images.myspacecdn.com/images01/63/s_65fef7498cf9d65dd907021bccd83f05.jpg
o http://c2.ac-images.myspacecdn.com/images02/102/s_563f2ef887054d29ae7c92ce686c0139.jpg
o http://c1.ac-images.myspacecdn.com/images02/91/s_7a9043587e134898ad7ada2f0769e9f0.jpg
o http://c1.ac-images.myspacecdn.com/images02/91/s_376097448eb94434b626a088c91835fc.jpg
o http://c1.ac-images.myspacecdn.com/images02/139/s_e717c8ed41fa407a99cda63130a194fc.jpg
o http://c1.ac-images.myspacecdn.com/images02/78/s_ef745b54658e4c95bf1e74900a36c814.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_5622450adb4a4cf4954fbfc0bf176970.jpg
o http://c1.ac-images.myspacecdn.com/images02/57/s_f62742a70a1c408dbc713bec5bd4fe28.jpg
o http://c1.ac-images.myspacecdn.com/images02/136/s_e01e4faf54974300abc2b1bebc2e20ec.jpg
o http://c1.ac-images.myspacecdn.com/images02/36/s_40330d830619417294799cedc4238708.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_ae5a7633e1a14cd8a0d7b0570a6c448c.jpg
o http://c1.ac-images.myspacecdn.com/images02/145/s_7d6dbda21fd74cc79ecdbd73e8bc9c7c.jpg
o http://c1.ac-images.myspacecdn.com/images02/148/s_7f206365dab2480f9707dac25a955344.jpg
o http://c1.ac-images.myspacecdn.com/images02/130/s_4a1c7440701a467d88ca5859759e3930.jpg
o http://c1.ac-images.myspacecdn.com/images02/84/s_9458a23b32d946aa8afc1c82f3fa69f0.jpg
o http://c4.ac-images.myspacecdn.com/images02/53/s_b47539ab50f64f278d6c8e8669bc94c3.jpg
o http://c4.ac-images.myspacecdn.com/images02/15/s_cb26ff99f78f4f99a4d408ba4637e9bb.jpg
o http://c4.ac-images.myspacecdn.com/images02/86/s_90a59cfd280344c9acb093a77790b1c7.jpg
o http://c4.ac-images.myspacecdn.com/images02/88/s_0b03a9b465e6486884dc7b1741bf9c73.jpg
o http://c4.ac-images.myspacecdn.com/images02/92/s_5fa96767fd28407ca057a753a8a6f47f.jpg
o http://c4.ac-images.myspacecdn.com/images02/47/s_b61673a1c93346c5b7d9a47598c4df7f.jpg
o http://c4.ac-images.myspacecdn.com/images02/126/s_30f1523d2a754b7e9c669d5e3727ac67.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_08e9f48cfc3f458c8ab96989cffc3557.gif
o http://c4.ac-images.myspacecdn.com/images02/99/s_3703d090ddb14ba4a8add5ee134a023b.jpg
o http://c3.ac-images.myspacecdn.com/images02/150/s_7b86bc0d982241e0b109bf612b6a66aa.jpg
o http://c3.ac-images.myspacecdn.com/images02/127/s_85249ad022404c7084692ac762ee2f26.jpg
o http://c3.ac-images.myspacecdn.com/images02/119/s_7f1ae831b5d54834943b76d0fd5cd86e.jpg
o http://c3.ac-images.myspacecdn.com/images02/115/s_07a879367d794a95a45ba19087cd56f2.jpg
o http://c3.ac-images.myspacecdn.com/images02/106/s_83522203c18040219cf08e2810e49462.jpg
o http://c3.ac-images.myspacecdn.com/images01/25/s_089c4cce8a6b6bd50804fb5f7944a48e.jpg
o http://c3.ac-images.myspacecdn.com/images02/146/s_dfc2a5dfd93b4d5fa63d284327ddc292.jpg
o http://c3.ac-images.myspacecdn.com/images01/97/s_5b13b6970b7588d71b823e2bbc1f6b0a.jpg
o http://c3.ac-images.myspacecdn.com/images02/138/s_90cc99bfb3a34625a4cf888507c1cd56.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=226902419
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=226902419
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=512052989590
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Kk0Ap3Uv8H.b0Rw0Gg3Qo8Y&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1280493102604
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://x.myspacecdn.com/modules/common/static/css/global_y5kcgkyi.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/03/1f/bf/bd1fbf9e3437c71996a5000fd8a10312_final.jpg
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_a0c24hfu.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Fx6Sd0Mb9D.b0Zl6Lf0Kt9T/bnum=1280493102713
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Fx6Sd0Mb9D.b0Zl6Lf0Kt9T/bnum=1280493102713
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1280493103151&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796250&_salt=1280493102604&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Kk0Ap3Uv8H.b1Uq0Hj3Mh8B&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1280493102713&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Fx6Sd0Mb9D.b1Cu6Jj0Ok9Z&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

Other details

* The following ports were open in the system:

Port Protocol Process
1057 TCP jusched.exe (%Windir%jusched.exe)
1092 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

* Notes:
o %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%jusched.exe
[file and pathname of the sample #1] 106 496 bytes MD5: 0x6665B2838608D7DF014561809EF14B19
SHA-1: 0x707510D4A96DDC2B9242BAEB1D2858E282FF9110
2 %Windir%mdll.dl 2 222 bytes MD5: 0x0DD76BD4E53CF74097B6DA1682E24EAD
SHA-1: 0x511F5EB9D1301E0648B9A96F1ECA84116BEE9CE0
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787

Categories: Uncategorized