server.beareserver1.com

Remote Host Port Number
204.0.5.34 80
204.0.5.41 80
204.0.5.49 80
204.0.5.51 80
204.0.5.58 80
216.178.38.103 80
216.178.38.168 80
63.135.86.30 80
63.135.86.39 80
64.210.61.214 80
64.202.120.57 2345 ircd here

* The data identified by the following URLs was then requested from the remote web server:
o http://1.download.advertise.myspace.com/upld/cs/1//cs4_lb_1705_.jpg
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_3469_.jpg
o http://x.myspacecdn.com/modules/common/static/css/global_dbasuqgy.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://c2.ac-images.myspacecdn.com/images02/125/s_615d4932d1b14a30b56ed5ff1f3fc509.jpg
o http://c2.ac-images.myspacecdn.com/images02/81/s_389f3146f92a4c25aa2127f273d38d89.jpg
o http://c2.ac-images.myspacecdn.com/images02/22/s_4c9bff85cefb4b978de493d8a1f86d89.jpg
o http://c4.ac-images.myspacecdn.com/images02/66/s_11cf91b992be4c6599a19b699d2a8d5b.jpg
o http://c4.ac-images.myspacecdn.com/images02/102/s_f6a3da1ebe814c6fb4d5f1821a348ac7.jpg
o http://c4.ac-images.myspacecdn.com/images02/135/s_adcb7c86b60c417f82a27395d9b8bd8f.jpg
o http://c4.ac-images.myspacecdn.com/images01/49/s_bb488166c56708afd3f70dc58f34bf8b.jpg
o http://c4.ac-images.myspacecdn.com/images02/85/s_5957e37228154913896310e1fa464e8b.jpg
o http://c4.ac-images.myspacecdn.com/images02/82/s_7019f6f75f1f484c847059fd9ee258f3.jpg
o http://c4.ac-images.myspacecdn.com/images02/90/s_e404fadbad0a43ceb5d1e5a920c7e0df.jpg
o http://c4.ac-images.myspacecdn.com/images02/141/s_2a65baa2628c43beb826b9def627d5f7.jpg
o http://c4.ac-images.myspacecdn.com/images02/123/s_b29592e5250b4a35af435f54816b170b.jpg
o http://c4.ac-images.myspacecdn.com/images02/129/s_24af0fa889424252afd4aba598be3de7.jpg
o http://c4.ac-images.myspacecdn.com/images02/152/s_552d3aafe5ef4b5ab93fb43fd8b94093.jpg
o http://c4.ac-images.myspacecdn.com/images02/66/s_c8b39b1db2ad4649ae57b57c04dd11bf.jpg
o http://c4.ac-images.myspacecdn.com/images02/81/s_fd3b32b2c71c4c95896a295f7411163f.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_e9c73eaef56e4b5ab2ef72126fd3697b.jpg
o http://c4.ac-images.myspacecdn.com/images02/120/s_2da0212cf0b64da5a9bbddc8b3e6c33f.jpg
o http://c4.ac-images.myspacecdn.com/images02/145/s_1815e73fbfc442d89245b1ae150c30d3.jpg
o http://c4.ac-images.myspacecdn.com/images02/80/s_d327795baca547a2aeaf9320de62d6d3.jpg
o http://c4.ac-images.myspacecdn.com/images02/131/s_02115cd442324bcb977bd031bf0cce5f.jpg
o http://c4.ac-images.myspacecdn.com/images02/78/s_187d78839c514b4abfd428f6d57b1713.jpg
o http://c4.ac-images.myspacecdn.com/images02/99/s_7e1a69bda07248c79a8f126f8a857b6f.jpg
o http://js.myspacecdn.com/modules/common/static/js/quickpost_tccdo_hb.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_zg-ygpyi.js
o http://js.myspacecdn.com/modules/common/static/js/msglobal_fuvasmr9.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0147.js
o http://c3.ac-images.myspacecdn.com/images02/129/s_80ef5a2d37cd4ddc93ee33905d1f0556.jpg
o http://c1.ac-images.myspacecdn.com/images02/82/s_729220674f464c2b98994dff87f7df74.jpg
o http://c3.ac-images.myspacecdn.com/images02/114/s_f535854f974e4556947bbd8a0fafa676.jpg
o http://c1.ac-images.myspacecdn.com/images02/127/s_4d0d4c6dba1a40cbb5d040eee4382b2c.jpg
o http://c3.ac-images.myspacecdn.com/images02/145/s_aa15f72fd29c49cdaba9eacf22462032.jpg
o http://c3.ac-images.myspacecdn.com/images02/111/s_8d6c75aa0a744ab58c541bd2a36d824e.jpg
o http://c3.ac-images.myspacecdn.com/images02/119/s_6e1169130c7147d2bf466e5d56a1ef32.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_f42038197c854ee19f7684ea0da5c42c.jpg
o http://c3.ac-images.myspacecdn.com/images02/83/s_ddad082c7b234ccf8232ec615673d206.jpg
o http://c1.ac-images.myspacecdn.com/images01/74/s_3c0c6a2d663dbe295fdc584ad013b8c0.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_fd24c0c9fc5b474c877dcc465d131ff8.jpg
o http://c1.ac-images.myspacecdn.com/images02/152/s_cee452b65f1043b29540f9d0c241af8c.jpg
o http://c3.ac-images.myspacecdn.com/images02/147/s_3593182f35df4c92813d1cc0b34fc9ca.jpg
o http://c3.ac-images.myspacecdn.com/images02/107/s_3ef04acc007f4c3b8eaa8773290f6d8a.jpg
o http://c3.ac-images.myspacecdn.com/images02/17/s_1ad4545af55540b1bd5f1884b9a8909a.jpg
o http://c1.ac-images.myspacecdn.com/images02/130/s_b71dbc5084684cfd989848a2612081f4.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=547759532
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=547759532
o http://ib.adnxs.com/bounce?%2Ffpt%3Fid%3D3594%26size%3D160x600%26flash%3D1%26cookies%3D1%26callback%3DC1Am2Eg8Zb3U.b0Fk2Wz8Ba3D%26referrer%3Dwww.foxaudiencenetwork.com%26age%3D%26gender%3D%26cb%3D1272029361005
o http://ib.adnxs.com/bounce?%2Ffpt%3Fid%3D3594%26size%3D160x600%26flash%3D1%26cookies%3D1%26callback%3DC1Xo6Sv7Ab9M.b0Pm6Qi7Ck9F%26referrer%3Dwww.foxaudiencenetwork.com%26age%3D%26gender%3D%26cb%3D1272029361021
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Am2Eg8Zb3U.b0Fk2Wz8Ba3D&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1272029361005
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Xo6Sv7Ab9M.b0Pm6Qi7Ck9F&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1272029361021
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ci6Mr4Xh0D.b0We6Am4Ci0M/bnum=1272029360958
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ci6Mr4Xh0D.b0We6Am4Ci0M/bnum=1272029360958
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Hv5Ke8Ej1G.b0Yv5De8Qj1N/bnum=1272029360927
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Hv5Ke8Ej1G.b0Yv5De8Qj1N/bnum=1272029360927
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://get.articleslinked.com/univ.php
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1272029361005&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Am2Eg8Zb3U.b1De2Cq8Lu3A&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796250&_salt=1272029361021&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Xo6Sv7Ab9M.b1Mz6Vq7Yh9P&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1272029360927&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Hv5Ke8Ej1G.b1Tg5Bt8Va1I&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1272029360958&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Ci6Mr4Xh0D.b1Vj6Hq4Ox0G&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

MODE NEW-[USA|00|P|29977] -ix
JOIN #imb test
PONG 22 MOTD
NICK NEW-[USA|00|P|29977]
USER XP-5508 * 0 :COMPUTERNAME
Now talking in #imb
Topic is ‘.msn.stop|.msn.msg foto 😀 http://vip-space.net/image.php?=’
Set by wd97 on Fri Apr 23 2010 at 7:34:24 PM
There was an outbound traffic produced on port 2345:PASS xxx

Other details

* The following port was open in the system:

Port Protocol Process
1057 TCP infocard.exe (%Windir%infocard.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 104 768 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %ProgramFiles%infocard.exe
%Windir%infocard.exe
[file and pathname of the sample #1] 96 399 bytes MD5: 0x71A068BD7E5F4480283FE652AA4E02EB
SHA-1: 0x4E13276F35CBE689456BBDFB88A2DAE4C498D2B9 Trojan.Skintrim [Symantec]
Backdoor.Win32.IRCBot.ork [Kaspersky Lab]
Mal/Rimecud-D [Sophos]
VirTool:Win32/CeeInject.gen!CM [Microsoft]
Win-Trojan/Bypassagent.96399.D [AhnLab]
2 %Windir%mdsys.s 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
3 %Windir%mdusys.s 1 391 bytes MD5: 0x199E4ED55E8FD1E33276BF8A2F08ADF9
SHA-1: 0xA9BFB435BB0A9EE88E98701FD9FDF5D881CC8ADA (not available)
4 %Windir%winbrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED (not available)

Categories: Uncategorized
Previous post