210.170.62.106

By Pig, July 28, 2010

Remote Host Port Number
208.50.81.138 80
208.50.81.144 80
208.50.81.160 80
208.50.81.161 80
216.178.38.168 80
63.135.80.58 80
63.135.86.23 80
63.135.86.37 80
64.208.138.220 80
64.236.79.122 80
210.170.62.106 2345 PASS xxx

MODE NEW-[USA|00|P|57813] -ix
JOIN #!gf! test
NICK NEW-[USA|00|P|57813]
USER XP-1197 * 0 :COMPUTERNAME
PONG irc.priv8net.com

* The data identified by the following URLs was then requested from the remote web server:
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://1.download.advertise.myspace.com/03/1f/bf/bd1fbf9e3437c71996a5000fd8a10312_final.jpg
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_y5kcgkyi.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_a0c24hfu.js
o http://cdn.doubleverify.com/script44.js?agnc=607671&cmp=CINGCP908001CNT&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=2&plc=193886852&advid=607930&sid=193886852&adid=
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=338698224
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=338698224
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Ax7Fg3Xf2C.b0Ul7Is3Ax2F&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1280279858470
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xs6Eh4Vd5S.b0Xs6Eh4Vd5S/bnum=1280279858830
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xs6Eh4Vd5S.b0Xs6Eh4Vd5S/bnum=1280279858830
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1280279859220&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://www.google-analytics.com/ga.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1280279858830&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Xs6Eh4Vd5S.b1Ql6Rk4Ce5M&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://c3.ac-images.myspacecdn.com/images02/125/s_1a4c2b4c5284430d80adab79e370801a.jpg
o http://c3.ac-images.myspacecdn.com/images02/142/s_d7a76b1a42db42988a9a2e5b93bf306a.jpg
o http://c3.ac-images.myspacecdn.com/images02/106/s_663d792ab9a449dca9b21877c4230006.jpg
o http://c3.ac-images.myspacecdn.com/images02/79/s_bc8ca5137db94a26bb6f084c8cec92b2.jpg
o http://c3.ac-images.myspacecdn.com/images02/13/s_6e810bcaad51423b9e03ab2c5aa6c146.jpg
o http://c3.ac-images.myspacecdn.com/images02/63/s_0d0823b872e74fdb893877d30ce9497e.jpg
o http://c3.ac-images.myspacecdn.com/images02/126/s_bb1b251c2021439b845cf96c673e134e.jpg
o http://c1.ac-images.myspacecdn.com/images02/101/s_6379efcc8c46427e99f733c40e79cfd4.jpg
o http://c1.ac-images.myspacecdn.com/images02/147/s_2454f3376a4c4d07a1be4319582b0a68.jpg
o http://c1.ac-images.myspacecdn.com/images02/66/s_12872121e7a44d7fb9f656dffe1bc86c.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_b357cbc581394368946f7811dd66b444.jpg
o http://c1.ac-images.myspacecdn.com/images02/141/s_c83b52c6db2140c79ed4f48b3d43abbc.jpg
o http://c1.ac-images.myspacecdn.com/images02/76/s_2adbf9a8892f4ffbaf93f35304d9b18c.jpg
o http://c1.ac-images.myspacecdn.com/images01/67/s_6b5a0365c6244c3004bcbfbbf1b1666c.jpg
o http://c1.ac-images.myspacecdn.com/images02/27/s_7b62775f100f46ba830c566a21bddba8.jpg
o http://c1.ac-images.myspacecdn.com/images02/68/s_e96743e447494ea1ac971d09767e3bb0.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_cb57746e4c7e4654a2c8d55f34d16cec.jpg
o http://c1.ac-images.myspacecdn.com/images01/45/s_e2c19fd4123171f022785e46fffec2dc.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_ca96fabdabd44a7c932cb39f2537ad04.jpg
o http://c1.ac-images.myspacecdn.com/images02/104/s_7ac8c3952e4f42b2952d437c15ca48a4.jpg
o http://c1.ac-images.myspacecdn.com/images02/123/s_454e12078582428f985740b42fef5df4.jpg
o http://c2.ac-images.myspacecdn.com/images02/120/s_5ee2328556ea499b8cb0e5e25c5e1171.jpg
o http://c2.ac-images.myspacecdn.com/images02/105/s_e8a2096a97a44870ae0428f457798c7d.jpg
o http://c2.ac-images.myspacecdn.com/images02/91/s_f991ce203aea4c5c983aea1385930489.jpg
o http://c2.ac-images.myspacecdn.com/images02/74/s_8508819929ae4f85a628215dda63a89d.jpg
o http://c2.ac-images.myspacecdn.com/images02/143/s_3f568cfdbb27417ba0505ff279f74985.jpg
o http://c2.ac-images.myspacecdn.com/images02/145/s_01de490373244618b2fd787431c4a851.jpg
o http://c2.ac-images.myspacecdn.com/images01/55/s_c7b20e93ca9086055a7f5fba792340ad.jpg
o http://c2.ac-images.myspacecdn.com/images02/75/s_eb9d654084ac407a9101977509c3b72d.jpg
o http://c2.ac-images.myspacecdn.com/images02/118/s_ef16fb09eb864117aab7bdb066bf13d5.jpg
o http://c4.ac-images.myspacecdn.com/images02/52/s_2ffa8c927ac04a37ba2495ca266bd643.jpg
o http://c4.ac-images.myspacecdn.com/images02/79/s_889a6fdd50ee4687a092b5807f11bc0f.jpg
o http://c4.ac-images.myspacecdn.com/images02/109/s_1d97bc010120456b860375cef7f6541b.gif
o http://c4.ac-images.myspacecdn.com/images01/59/s_349473c6c5c854640533414fdce7582b.jpg
o http://c4.ac-images.myspacecdn.com/images02/69/s_356a0cdc0b0a416d90348175a04e7297.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_5533358fe60c421b9f17a2b6fd20d9df.jpg
o http://c4.ac-images.myspacecdn.com/images02/127/s_e661490e9a83449d8a980fd21ab02b8b.jpg
o http://c4.ac-images.myspacecdn.com/images02/71/s_917bb56fc1aa477391cecb4b3dbf4fc3.jpg
o http://c4.ac-images.myspacecdn.com/images02/124/s_8c34e30d56854f2db734f604d00f2027.jpg
o http://c4.ac-images.myspacecdn.com/images02/93/s_4725cd83e6a642a79d3767842eecee6f.jpg

Other details

* The following ports were open in the system:

Port Protocol Process
1053 TCP jusched.exe (%Windir%jusched.exe)
1089 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

* Notes:
o %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%jusched.exe
[file and pathname of the sample #1] 103 424 bytes MD5: 0x1BE65C0597137D85879259696ADBD166
SHA-1: 0xD9094BCC7CA87ABBE80D9D4619C729B4B2F51F79
2 %Windir%mdll.dl 2 191 bytes MD5: 0xFE74CEFD04571E7CF2D4095158DAE514
SHA-1: 0x8D97ED0ABC1E23E1619E5B50AD80A17AA465EDFA
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787

Categories: Uncategorized