Cluster P

117 samples (Win2K-f (53%)
WinXP (47%))

Ports
Attack port
445 (100%)

Files
Drops Processes
igxdfdfds.com (100%)
cmd.exe (39%)
csrss.exe (39%)
explorer.exe (39%)
lsass.exe (39%)
services.exe (39%)
full list
cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)
full list

Snort
Snort IDs Snort Egg IDs Snort Outbound IDs
1:21390:5 (60%)
1:299998:1 (60%)
1:1390:5 (40%)
1:2001944:3 (40%)
1:99998:2 (40%)
1:3003:4 (38%) 1:2001683:3 (99%)
1:3000007:99 (99%)
1:5001684:99 (99%) -

Registry
Registry keys Registry values
...currentversion/runservices (100%)
...currentversion/runonce (67%)
...currentversion/runonce (67%)
...currentversion/run (33%)
full list
microsoftvisualsp (100%)

Servers
DNS Lookups Failed connections C & C IPs
:f.unicat.org (100%) 69.42.216.90:9890 (100%) 69.42.216.90:9890 (100%)

Chatter
FTP chatter HTTP chatter
exec=igxdfdfds.com (100%)
pass=a (100%)
user=a (100%) -

Static Analysis
Antivirus labels Packed MD5 Unpacked MD5
webwasher (100%)
rbot (99%)
sdbot (99%)
sophos (99%)
thehacker (99%)
antivir (98%)
full list
e8d4d8... (91%)
diversity: 5.3%
full list
fda109... (91%)
diversity: 0.9%
full list