123.176.40.3

Remote Host Port Number
123.176.40.3 2345
204.0.5.34 80
204.0.5.40 80
204.0.5.41 80
204.0.5.42 80
204.0.5.43 80
204.0.5.51 80
204.0.5.56 80
207.46.148.32 80
216.178.38.103 80
63.135.86.21 80

* The data identified by the following URLs was then requested from the remote web server:
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_11208_.jpg
o http://c1.ac-images.myspacecdn.com/images02/80/s_888834f414aa4f2b924101a5167113d8.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_87487f0ec53045ce8e581b17fdd77a64.jpg
o http://c1.ac-images.myspacecdn.com/images02/79/s_ef84fd52b6874d7e8bf45175203fb080.jpg
o http://c1.ac-images.myspacecdn.com/images02/142/s_66ab256c0ab74472bbeebd063fed0014.jpg
o http://c1.ac-images.myspacecdn.com/images02/137/s_865bedd8217a483c8892740d0a6cc010.jpg
o http://c1.ac-images.myspacecdn.com/images02/141/s_e169cd430999415e817ea655d5cf2b30.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_40f4e458e61e4a91b97444e45ec43c64.jpg
o http://c1.ac-images.myspacecdn.com/images02/131/s_6397226ac5e344b190e1338ca049580c.jpg
o http://c1.ac-images.myspacecdn.com/images02/146/s_a200d369d775461f93c15787f7446a8c.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_a4016a232b514dd5973cfa94dc373f7c.jpg
o http://c1.ac-images.myspacecdn.com/images02/122/s_b092e4a1ef764e3c99210d5485f7860c.jpg
o http://c1.ac-images.myspacecdn.com/images02/61/s_967b219afaa04866b412a57e1c0a4100.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://js.myspacecdn.com/modules/common/static/js/msglobal_fuvasmr9.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://c2.ac-images.myspacecdn.com/images02/119/s_2baac2e728ad421ab80893d817b6eca5.gif
o http://c2.ac-images.myspacecdn.com/images01/18/s_95034ce5f1b1b37aa84526b58e534bad.jpg
o http://c2.ac-images.myspacecdn.com/images02/113/s_b21b156b4db44ecd8c49266e3c846239.jpg
o http://c2.ac-images.myspacecdn.com/images02/84/s_3c82a51b74cd4a7494b037ea2e7ecbcd.jpg
o http://c2.ac-images.myspacecdn.com/images02/146/s_84f6153fddf64f189a89cc9ead43ed01.jpg
o http://c2.ac-images.myspacecdn.com/images02/142/s_557b186aae8d4ba3874e6cc79d9cba69.jpg
o http://c2.ac-images.myspacecdn.com/images02/151/s_51e2a11d72a345509b4ef8106eabb271.jpg
o http://c2.ac-images.myspacecdn.com/images02/128/s_c8fbcf9dbf584374853e96f8bb96178d.jpg
o http://c2.ac-images.myspacecdn.com/images02/113/s_17d1003c0727429e8a4b0cce4f048fa5.jpg
o http://js.myspacecdn.com/modules/common/static/js/quickpost_tccdo_hb.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_zg-ygpyi.js
o http://c3.ac-images.myspacecdn.com/images02/125/s_d8af93928a134ab18026c51d1e85b806.jpg
o http://c3.ac-images.myspacecdn.com/images02/121/s_5b4e1e57b9f64a858491c331318dcdb6.jpg
o http://c3.ac-images.myspacecdn.com/images02/97/s_61b5894df9154a579d33d0b25df3b3c2.jpg
o http://c3.ac-images.myspacecdn.com/images02/97/s_fe4b492a5d84481c85fd8153c348942a.jpg
o http://c3.ac-images.myspacecdn.com/images02/74/s_5a1d901ca5044f58ab2fbb8a5ea74c0e.jpg
o http://c3.ac-images.myspacecdn.com/images02/113/s_c19c7f27dffe44ffb258e8b6ce4817d6.jpg
o http://c3.ac-images.myspacecdn.com/images02/133/s_e68064b16f8f4af5818eb0f1b5c10126.jpg
o http://c3.ac-images.myspacecdn.com/images02/77/s_a1d4b27d472041169cdcb9c6b6d72b9e.jpg
o http://content.yieldmanager.com/ak/q.gif
o http://rmd.atdmt.com/tl/DocumentDotWrite.js
o http://x.myspacecdn.com/modules/common/static/css/global_dbasuqgy.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://spe.atdmt.com/ds/CJCNTCINGCP9/ATT_UVerse_CT_12_22/091221_22_UTV_SDVR_Break_400B_728x90.jpg?ver=1
o http://c4.ac-images.myspacecdn.com/images02/113/s_d2552d7e6a774befb0ad70d703cfd0eb.jpg
o http://c4.ac-images.myspacecdn.com/images02/140/s_7d79e36e32824b35a4de0a55fdc4eccf.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_58ae2602d80746ea84e36dacf5f23f1b.jpg
o http://c4.ac-images.myspacecdn.com/images02/71/s_798c815a2d304d4692a82b713aa93a0b.jpg
o http://c4.ac-images.myspacecdn.com/images02/91/s_f2cac5aa6f524180b88f0e4855a5cf53.jpg
o http://c4.ac-images.myspacecdn.com/images02/128/s_93e544cf2e554de0bcc8b78215b3a3cf.jpg
o http://c4.ac-images.myspacecdn.com/images02/134/s_f455cffc14c141b8a99426844c336c8b.jpg
o http://c4.ac-images.myspacecdn.com/images02/129/s_7ba4523c31f04b189e4c79411cd60053.jpg
o http://c4.ac-images.myspacecdn.com/images02/89/s_bd23ec17981d45fd9ec45c3445481db7.jpg
o http://c4.ac-images.myspacecdn.com/images01/116/s_15795590dc3047913b82bcfca7a2a0fb.jpg
o http://c4.ac-images.myspacecdn.com/images02/79/s_bab766139f554341a82124ba1965524f.jpg
o http://view.atdmt.com/CNT/iview/193886852/direct;wi.728;hi.90/01/20100501122501/?click=http://media.fastclick.net/w/click.here?cid=222425;mid=414942;sid=54675;m=1;c=0;forced_click=
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=292096215
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=292096215
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54675&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54675&tp=5&d=j&t=n&no_cj_c=1&upsid=195212693846
o http://rd.apmebf.com/w/get.media?sid=54675&tp=5&d=j&t=n&host=media.fastclick.net
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xm5Lt6Pq9K.b0Ok5Yf6Ms9J/bnum=1272723265783
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xm5Lt6Pq9K.b0Ok5Yf6Ms9J/bnum=1272723265783
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://get.articleslinked.com/univ.php
o http://ad.yieldmanager.com/st?ad_type=ad&ad_size=728×90&section=908583
o http://ad.yieldmanager.com/imp?Z=728×90&s=908583&_salt=2586770271&B=10&r=0
o http://ad.yieldmanager.com/imp?Z=728×90&s=908583&_salt=2586770271&B=10&r=0&SIG=10vk65jc7;x-cookie=5xqgeac5gb7rv&o=4&f=fs
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1272723265783&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Xm5Lt6Pq9K.b1Jb5Bn6Ww9F&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1272723319549&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Qz1On4Mu2J.b0Mu1Jm4Wj2K&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796250&_salt=1272723319580&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Gv1Oa9Kw8P.b1Hz1Dm9Gv8O&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

PONG 22 MOTD
NICK NEW-[USA|00|P|48119]
USER XP-1488 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|48119] -ix
JOIN #imb test

Now talking in #imb
Topic On: [ #imb ] [ .msn.stop|.msn.msg foto 😀 http://miggiphotos.com/image.php?= ]
Topic By: [ wd33 ]

server pass=PASS xxx

Other details

* The following port was open in the system:

Port Protocol Process
1058 TCP infocard.exe (%Windir%infocard.exe)
Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 117 056 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%infocard.exe
[file and pathname of the sample #1] 103 565 bytes MD5: 0xFF417191C75353B1CFE6CE265C5353E7
SHA-1: 0xDE347A7ED35FAFCDFED5CF5A94C4780A4C7EBE6F Mal/Rimecud-D [Sophos]
2 %Windir%mds.sys 1 469 bytes MD5: 0xCD746B19D11954CA4FA3E4F98EB848BB
SHA-1: 0x7A4D1B03B0DC7354F3DCEBF2DC6567EEF78BD6BC (not available)
3 %Windir%mdt.sys 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
4 %Windir%winbrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED (not available)

Categories: Uncategorized