210.170.62.115(IM worm)

Remote Host Port Number
204.0.5.35 80
204.0.5.40 80
204.0.5.42 80
204.0.5.51 80
204.0.5.58 80
204.0.5.59 80
207.38.101.12 80
208.43.117.134 80
216.178.38.103 80
216.178.38.168 80
210.170.62.115 2345 PASS xxx

NICK NEW-[USA|00|P|39876]
USER XP-0115 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|39876] -ix
JOIN #!gf! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/common/static/css/global_-cca62xx.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_747_.jpg
o http://c3.ac-images.myspacecdn.com/images02/86/s_cc6ce6d505494d45a552d0f4ca9bb202.jpg
o http://c3.ac-images.myspacecdn.com/images02/85/s_a32c81d1857449dcbad78a08e889e9c6.jpg
o http://c3.ac-images.myspacecdn.com/images02/123/s_1bda3b701f72457183381d249a3aff82.jpg
o http://c3.ac-images.myspacecdn.com/images02/99/s_ceed36fdd3da4b1886832fe5b6196ace.jpg
o http://c3.ac-images.myspacecdn.com/images02/144/s_19f2e454ae014445bd935666fc6212de.jpg
o http://c3.ac-images.myspacecdn.com/images02/114/s_0ad0327a11bc4b229d87e1a4b57af88a.jpg
o http://c3.ac-images.myspacecdn.com/images02/115/s_e6f59ed86e7f44d0b46a2fc72c197486.jpg
o http://c3.ac-images.myspacecdn.com/images02/138/s_56a9f22fe3c14673a8ac2eff50205282.png
o http://c3.ac-images.myspacecdn.com/images02/124/s_d0ac0d421d2448ca9c7ba41336f8d592.jpg
o http://c3.ac-images.myspacecdn.com/images02/116/s_a1e1b1d9eb154ef6a6602a53f7023776.jpg
o http://c3.ac-images.myspacecdn.com/images02/138/s_cc404490bf41444486565670bcef4ed6.jpg
o http://c3.ac-images.myspacecdn.com/images01/81/s_636a044c5ce581055c09de92954adc92.jpg
o http://c3.ac-images.myspacecdn.com/images02/130/s_aeed6d5a570e4bfc8f4270c9fd977b1e.jpg
o http://c3.ac-images.myspacecdn.com/images02/132/s_69412adb314246cfbe5c1e3ffdf3187a.jpg
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal_uabkhbad.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_ujzxjul0.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0159.js
o http://c2.ac-images.myspacecdn.com/images02/148/s_6c823be790e743bbb870745d6b9acd4d.jpg
o http://c2.ac-images.myspacecdn.com/images02/81/s_bea1505b63754246a4d14b8a84356631.jpg
o http://c1.ac-images.myspacecdn.com/images02/117/s_f648ebb39aa84f28a5520de4cc41401c.jpg
o http://c1.ac-images.myspacecdn.com/images01/126/s_5a29243ffa8e8ee1243b0184a64935dc.jpg
o http://c2.ac-images.myspacecdn.com/images02/116/s_372ce4babe084260bda38b410af2ae71.jpg
o http://c2.ac-images.myspacecdn.com/images02/64/s_1ec626971c7a457a9e9e3ce4182389c1.jpg
o http://c1.ac-images.myspacecdn.com/images02/147/s_aec5a4b65d0d4b00a67f634a55cb6fd4.jpg
o http://c2.ac-images.myspacecdn.com/images02/116/s_06ef17225e7b46798a25631e4f0e6d31.jpg
o http://c1.ac-images.myspacecdn.com/images02/139/s_93ebfb6dcc274512843c1f18506bf19c.jpg
o http://c1.ac-images.myspacecdn.com/images02/11/s_833d884e580f4af59d419cd49c9080d4.jpg
o http://c2.ac-images.myspacecdn.com/images02/109/s_89005d3c4d5344fb9d8682964234e989.jpg
o http://c2.ac-images.myspacecdn.com/images02/86/s_6e55142dd8fc4f3480f480d9a0629f55.jpg
o http://c1.ac-images.myspacecdn.com/images01/49/s_c6c15f853c8fa90cc8b79d72f10d5cf0.jpg
o http://c1.ac-images.myspacecdn.com/images02/114/s_3a61e3c6382a407a8c47b31c47f2c8cc.jpg
o http://c2.ac-images.myspacecdn.com/images02/84/s_de221ceb0f634964886a72f8cf4627a5.jpg
o http://c2.ac-images.myspacecdn.com/images02/140/s_fc17a669ef8244738353c30dfe1db4e9.jpg
o http://c1.ac-images.myspacecdn.com/images01/78/s_aa780676d954377b371ab7579dde6270.jpg
o http://c1.ac-images.myspacecdn.com/images02/86/s_f3c980fa1de64b4d8b815944868f1568.jpg
o http://c2.ac-images.myspacecdn.com/images02/144/s_4c87608ed6f9403f9890bf4d4ff3b659.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_0c8e25f03d5645db95d5e04f88c76057.jpg
o http://c4.ac-images.myspacecdn.com/images02/98/s_fe0aa0836c23428992e041124ab9d42b.jpg
o http://c4.ac-images.myspacecdn.com/images02/149/s_e08ecc0396054cc68d9f9eae530fd197.jpg
o http://c4.ac-images.myspacecdn.com/images02/107/s_6b00af340fde4fa0ab724170a35dfb8b.jpg
o http://c4.ac-images.myspacecdn.com/images02/114/s_076be579919e4db889a4884d2eac52b3.jpg
o http://c4.ac-images.myspacecdn.com/images02/44/s_7e1f0ea2159d4a8e883159deec77741f.jpg
o http://c4.ac-images.myspacecdn.com/images02/84/s_55c6e1c43c76412bb75e25c61a77b107.jpg
o http://geo-lb01.w55c.net/x/brs1009?cbid=C1Yv1Zk7Br4V.b0Vp1Ii7Lf4Q&cb=1289861635188&size=160×600&ess=MySpaceUGC&refurl=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=622651867
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=622651867
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Yv1Zk7Br4V.b2Pa1Yz7Zo4B/bnum=1289861635188
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Yv1Zk7Br4V.b2Pa1Yz7Zo4B/bnum=1289861635188
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1289861635860&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://ad.turn.com/server/bid/fan.bid?pub=10063193&cch=10063206&l=728×90&requestId=C1Yv1Zk7Br4V.b1Ji1Pf7Yv4Z&ref=http%3A%2F%2Fmyspace-ugc-foxaudiencenetwork.com&rand=1289861635188
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://googleads.g.doubleclick.net/pagead/imgad?id=CPvt4tuR2qijDxCgARjCBDIIKSVjaqcgbYM
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/expansion_embed.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1289861635188&r=1&callback=C1Yv1Zk7Br4V.b3Rp1Ji7Pf4Y&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

* The following port was open in the system:

Port Protocol Process
1059 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe 104 448 bytes MD5: 0x977E1D1DEDF6B241FBE352DBE6B70595
SHA-1: 0xF065ACC4F84ADED4E8CC5251DC586D9EB96B14DA Trojan.Win32.Buzus [Ikarus]

Categories: Uncategorized