205.234.138.152

By Pig, July 13, 2010

Remote Host Port Number
204.0.5.41 80
204.0.5.42 80
204.0.5.51 80
204.0.5.57 80
204.0.5.58 80
204.0.5.59 80
216.178.38.168 80
63.135.80.58 80
63.135.86.37 80
63.135.86.39 80
205.234.138.152 2345 PASS xxx

NICK NEW-[USA|00|P|84708]
USER XP-1884 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|84708] -ix
JOIN #!gf! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal_a23gacz1.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://c2.ac-images.myspacecdn.com/images01/49/s_0265685503623e56fa0be249564b7fd1.jpg
o http://c2.ac-images.myspacecdn.com/images02/32/s_23b947ee56ee4da389e13a6ab267e51d.jpg
o http://c2.ac-images.myspacecdn.com/images01/45/s_042b0dd895ab1e15126410770f18f6b1.jpg
o http://c2.ac-images.myspacecdn.com/images02/8/s_8b6f7b9ba76341acac5f5098ac0b2bc5.jpg
o http://c2.ac-images.myspacecdn.com/images02/69/s_0a76856d3c65434d940de8f289b6efe9.jpg
o http://c2.ac-images.myspacecdn.com/images02/117/s_09ec5d767cd144278edf591cdd3ff659.jpg
o http://c2.ac-images.myspacecdn.com/images02/70/s_65e415067f2b4877b870e182be92d8f5.jpg
o http://c2.ac-images.myspacecdn.com/images02/56/s_65587c78692e4d0f84aa62f52b89745d.jpg
o http://js.myspacecdn.com/modules/common/static/js/atlas/tracking/tynt_yjp6wvuu.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_wrhw3zve.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://c3.ac-images.myspacecdn.com/images02/105/s_09f595c9e0644ecc93136ff2147542b6.jpg
o http://c3.ac-images.myspacecdn.com/images02/83/s_7eab0cd40bcf4ea08f5ead5002590a2e.jpg
o http://c3.ac-images.myspacecdn.com/images02/44/s_58a6146991de4626827c97ed188a0bca.jpg
o http://c3.ac-images.myspacecdn.com/images02/152/s_f0f3385eed6d48c391bd1a0a54316826.jpg
o http://c3.ac-images.myspacecdn.com/images02/127/s_6e3a229564a049e6911471f1fbc1b6f6.jpg
o http://c3.ac-images.myspacecdn.com/images02/119/s_53970c9fe3e74fa6943abb1e7597301e.jpg
o http://c3.ac-images.myspacecdn.com/images02/124/s_e72d981aba824fa9bab4874a08847c26.jpg
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_dx4dnvyu.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://1.download.advertise.myspace.com/0a/06/66/320666dbf46ac4df3dff8ec6835b0fbc_final.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0152.js
o http://c1.ac-images.myspacecdn.com/images02/140/s_a90079f3d8f447dcb8e7f110e7862ec0.jpg
o http://c1.ac-images.myspacecdn.com/images02/150/s_b6b2b5cc019f429f88857429a1853530.jpg
o http://c1.ac-images.myspacecdn.com/images02/119/s_89e68f7d7fea4d1a964dabfba2062d5c.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_2b16a3644d214b9e9dfa609a0af6cb14.jpg
o http://c1.ac-images.myspacecdn.com/images02/127/s_ca1e26f56e1541039ec7a8e9f3d6d544.jpg
o http://c1.ac-images.myspacecdn.com/images02/76/s_8b12900392704f8695a63504ef36ea98.jpg
o http://c1.ac-images.myspacecdn.com/images02/151/s_04d7b2b45b8748c0a15877b29f96d8cc.jpg
o http://c1.ac-images.myspacecdn.com/images02/144/s_f4e8f77706d54346a520ef3ec54609f8.jpg
o http://c1.ac-images.myspacecdn.com/images02/105/s_7c577767de1e42b48d83c5ecb07d44fc.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_244ebc29faa74ab68a1fdcca0d1b9f8c.jpg
o http://c1.ac-images.myspacecdn.com/images02/116/s_aa53465950614bfdb73742fe166f21ac.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_24ef3f1efd4041c7a09f65f1b044e373.jpg
o http://c4.ac-images.myspacecdn.com/images02/122/s_938e4bf6489e48089af328667c0b3797.jpg
o http://c4.ac-images.myspacecdn.com/images02/86/s_9b9d4735d0ea40a8be829e0fd12bb677.jpg
o http://c4.ac-images.myspacecdn.com/images02/74/s_5eae583871484c9ea1d79eb421c92473.jpg
o http://c4.ac-images.myspacecdn.com/images02/123/s_3b3266d734f3478c9f512b772d6be4cb.jpg
o http://c4.ac-images.myspacecdn.com/images02/147/s_838fe7a870724a7aa4e0c49f72b31817.jpg
o http://c4.ac-images.myspacecdn.com/images02/142/s_b1b8e5f7de3f4bbfb64940de5b44a5f3.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_a2510cbda4454f078e0c0df2ca3e0ec7.jpg
o http://c4.ac-images.myspacecdn.com/images01/51/s_5839e5198b5a970252f086ce06855783.jpg
o http://c4.ac-images.myspacecdn.com/images02/1/s_03c85a13f1984205b9b4f2c59ca8ebff.jpg
o http://c4.ac-images.myspacecdn.com/images02/152/s_14c95687ee984c86ae814067650a0d3b.jpg
o http://c4.ac-images.myspacecdn.com/images02/97/s_41445c463517449db7257706bdc0aaa3.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_7a9b15ecf7af407f88e3547bbd753343.jpg
o http://c4.ac-images.myspacecdn.com/images02/137/s_def83b3c9663409e9843948bb5f13f1f.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=797785791
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=797785791
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=758915226077
o http://rd.apmebf.com/w/get.media?sid=54674&tp=5&d=j&t=n&host=media.fastclick.net
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Hc3Wh9Fr6X.b0Dw3Gs9Hc6W&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1279048000501
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kp7Oi8Lz6C.b0Kp7Oi8Lz6C/bnum=1279048000251
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kp7Oi8Lz6C.b0Kp7Oi8Lz6C/bnum=1279048000251
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1279048000251&r=1&callback=C1Kp7Oi8Lz6C.b1Nm7Ea8Xy6Y&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1279048000501&r=1&callback=C1Hc3Wh9Fr6X.b1Zb3Qu9Nk6A&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://p.dev-ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1279048001251&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js

Other details

* The following ports were open in the system:

Port Protocol Process
1059 TCP jusched.exe (%Windir%jusched.exe)
1088 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe 72 704 bytes MD5: 0x1489BDE0A93BB0FA4B87CAF2AE6E7624
SHA-1: 0x37844827B08D9FDAC36FBC505F8A427626858466 Mal/Rimecud-D [Sophos]
Worm:Win32/Pushbot.gen!C [Microsoft]
2 %Windir%mdll.dl 2 222 bytes MD5: 0x7E595EB0DBDE00A8D49B76172C7F5F05
SHA-1: 0x9E1037090C020BC205EEEC4AB436C56B713DEB76 (not available)
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283 (not available)
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787 (not available)

Categories: Uncategorized
Previous post
Next post