66.225.241.182(server1.beetrootmusic.com)

Remote Host Port Number
204.0.5.41 80
204.0.5.48 80
204.0.5.51 80
204.0.5.56 80
204.0.5.57 80
204.0.5.58 80
216.178.38.103 80
216.178.38.168 80
216.178.39.11 80
63.135.86.21 80
66.225.241.182 2345 PASS xxx

NICK NEW-[USA|00|P|11380]
USER XP-4288 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|11380] -ix
JOIN #!gf! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal_a23gacz1.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/tracking/tynt_yjp6wvuu.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_wrhw3zve.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://c1.ac-images.myspacecdn.com/images02/93/s_43a1706970f34353b9615c04e48f1c20.jpg
o http://c1.ac-images.myspacecdn.com/images02/72/s_30324b42b095483cb3548f03c7a6bc94.gif
o http://c1.ac-images.myspacecdn.com/images02/49/s_17678871972d4b15ad39094bbd7329c8.jpg
o http://c1.ac-images.myspacecdn.com/images02/71/s_7c044800c31d46ae87c57975f66c81bc.jpg
o http://c1.ac-images.myspacecdn.com/images02/110/s_20d78d17533242629d188c891edeca7c.jpg
o http://c1.ac-images.myspacecdn.com/images02/73/s_79bd49e81f114336bf63c0f64318ea6c.jpg
o http://c1.ac-images.myspacecdn.com/images01/45/s_b1b26d7e81b2908bac75a1baadde39bc.jpg
o http://c1.ac-images.myspacecdn.com/images02/25/s_3508fde6ddaa422d9934c54aefc0bae4.jpg
o http://c1.ac-images.myspacecdn.com/images02/127/s_9be57e8996f247a09223624f878f1794.jpg
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/global_dx4dnvyu.css
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://c4.ac-images.myspacecdn.com/images02/76/s_80e682cf6fe349b08dc2a1cfebc8e7a7.jpg
o http://c4.ac-images.myspacecdn.com/images02/124/s_48549f99791648acadfa1fb735d60b5b.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_b7995365d78c48dd92e7eeef49c1a3ab.jpg
o http://c4.ac-images.myspacecdn.com/images02/101/s_0badb08b843d4b73871a2875e9881a9b.jpg
o http://c4.ac-images.myspacecdn.com/images02/133/s_85171270f65e44beab312d5074ceb85b.gif
o http://c4.ac-images.myspacecdn.com/images02/116/s_d5761da22932418898cc79025cc9254f.jpg
o http://c4.ac-images.myspacecdn.com/images02/50/s_f2dd3a9d62134ec5808d65678af862b3.jpg
o http://c4.ac-images.myspacecdn.com/images01/60/s_63c085ecd8e39a16336c619cb30b240f.jpg
o http://c4.ac-images.myspacecdn.com/images02/131/s_bc75ec3e2a2b4f158c17198779087c4f.jpg
o http://c4.ac-images.myspacecdn.com/images02/143/s_77db05b9922246c494a10f604ac753f3.jpg
o http://c4.ac-images.myspacecdn.com/images02/102/s_e22cece455dc4b0f947e1af37a8b30bb.jpg
o http://c4.ac-images.myspacecdn.com/images02/96/s_81205af00f134cdd87b25acad2d06843.jpg
o http://c4.ac-images.myspacecdn.com/images02/76/s_7edbc2be8ce544958f83ad164063786b.jpg
o http://c4.ac-images.myspacecdn.com/images02/87/s_9f099bd678c340088b7bc751ba8cd3af.jpg
o http://1.download.advertise.myspace.com/0e/ce/01/62ce010d84dd87d43b1f5fc589d56aed_final.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0151.js
o http://c3.ac-images.myspacecdn.com/images02/119/s_5d6c2f718dbb4d5fa412edaccbc002a6.jpg
o http://c3.ac-images.myspacecdn.com/images02/150/s_1c332165cd044eb2b2140c65dff051f2.jpg
o http://c2.ac-images.myspacecdn.com/images02/127/s_25249871c0b24322a342d6cdc3c4f3f5.jpg
o http://c2.ac-images.myspacecdn.com/images02/104/s_9e1c4c33490240f6b5f331a78de87621.jpg
o http://c2.ac-images.myspacecdn.com/images02/105/s_422724aeccc04924a92df211a30910f9.jpg
o http://c3.ac-images.myspacecdn.com/images02/106/s_2442f1f8e15545808d2feb75790283fa.jpg
o http://c2.ac-images.myspacecdn.com/images02/105/s_6cd5fae83ef249279752e3eceb15c545.jpg
o http://c3.ac-images.myspacecdn.com/images02/134/s_be3abfdd5555460cab9516840f0c7c3a.jpg
o http://c3.ac-images.myspacecdn.com/images02/139/s_9a20b5cea41746b4b7c19337a92cbdfa.jpg
o http://c2.ac-images.myspacecdn.com/images02/133/s_aaf354395eb344f19662f5294a5f5721.jpg
o http://c3.ac-images.myspacecdn.com/images02/139/s_cc568a248e1e4eb686201ab9bf067cd2.jpg
o http://c2.ac-images.myspacecdn.com/images02/68/s_08143008a434418d81b5d6ef705db639.jpg
o http://c2.ac-images.myspacecdn.com/images02/143/s_7592fe37fc1e4504bd22a468d1f47d81.jpg
o http://c2.ac-images.myspacecdn.com/images02/149/s_59bf1849a71942468318da07c3ee490d.jpg
o http://c2.ac-images.myspacecdn.com/images02/83/s_87ad531bfca84dcd81c11da97b6447a1.jpg
o http://c2.ac-images.myspacecdn.com/images02/85/s_ec40990ce97447d5979fa7e2c14d18a5.jpg
o http://c2.ac-images.myspacecdn.com/images02/78/s_e86a4fa398c94b1989fae42d7182605d.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://www.myspace.com/Modules/Common/HttpHandlers/CMS.ashx?google_ad_client=fim_myspace_images_js&google_ad_channel=fim_myspace_images_browse-basic,fim_myspace_united-states&pfc=Browse&culture=en-US&undefined
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=628954168
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=628954168
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=904072253398
o http://rd.apmebf.com/w/get.media?sid=54674&tp=5&d=j&t=n&host=media.fastclick.net
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Hs1En8Xc9L.b0Ul1Wp8Hs9E&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1278925476063
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Vx8Lv4Sl0B.b0Ic8Aj4Ga0K/bnum=1278925476188
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Vx8Lv4Sl0B.b0Ic8Aj4Ga0K/bnum=1278925476188
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1278925476188&r=1&callback=C1Vx8Lv4Sl0B.b1No8Eb4Ic0A&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

Other details

* The following ports were open in the system:

Port Protocol Process
1058 TCP jusched.exe (%Windir%jusched.exe)
1091 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe
[file and pathname of the sample #1] 73 216 bytes MD5: 0x4408D0E4C4B25DA6DF978D890C6B89C3
SHA-1: 0x60B1B5D2A230B6B13D9770D83F7E4726527080CF Malware.Yimfoca [PCTools]
W32.Yimfoca [Symantec]
Backdoor.Win32.IRCBot.ppk [Kaspersky Lab]
Mal/Rimecud-D [Sophos]
Worm:Win32/Pushbot.gen!C [Microsoft]
Worm.Win32.Pushbot [Ikarus]
Win-Trojan/Ircbot.73216 [AhnLab]
2 %Windir%mdll.dl 2 202 bytes MD5: 0x2C82D46538B47C6938604A37B9AE8337
SHA-1: 0x776B501D3A744D949BCBF581CAF264F4C325AFE9 (not available)
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283 (not available)
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787 (not available)

Categories: Uncategorized
Previous post
Next post