Cluster M

220 samples (Win2K-f (65%)
WinXP (35%))

Ports
Attack port Ports
135 (100%) 69 (88%)
707 (88%)
1031 (88%)
1027 (62%)
1034 (38%)

Files
Drops
dllhost.exe (81%)
explorer.exe (42%)
cmd.exe (38%)
csrss.exe (38%)
lsass.exe (38%)
services.exe (38%)
full list

Snort
Snort IDs Snort Egg IDs Snort Outbound IDs
1:299913:1 (100%) 1:1444:3 (100%)
1:2008120:1 (100%)
1:3001441:1 (100%) 1:52123:3 (100%)

Registry
Registry keys Registry values
- -

Servers
DNS Lookups C & C IPs
US:download.microsoft.com (86%)
US:microsoft.com (86%)
:proxim.ircgalaxy.pl (46%) 72.10.172.211:8080, 67.43.236.66:8080 (50%)
67.43.236.66:8080, 72.10.172.211:8080 (33%)

Chatter
HTTP chatter IRC chatter
- -

Static Analysis
Antivirus labels Packed MD5 Unpacked MD5
sophos (91%)
authentium (89%)
kaspersky (89%)
webwasher (89%)
fortinet (86%)
ikarus (85%)
full list
53bfe1... (21%)
168aab... (6%)
diversity: 54.3%
full list
73f108... (10%)
a08f3b... (9%)
4c3df2... (8%)
diversity: 40.3%
full list