200.113.159.243

Remote Host Port Number
200.113.159.243 1234

* The data identified by the following URLs was then requested from the remote web server:
o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://c2.ac-images.myspacecdn.com/images02/128/s_f5f31b5c62934a8981f86322d27ab9d9.jpg
o http://c2.ac-images.myspacecdn.com/images02/31/s_5fca5e8a00964098918e8845b69d08d9.jpg
o http://c2.ac-images.myspacecdn.com/images02/36/s_93f01f33cc9241ff9f863449b75882cd.jpg
o http://c2.ac-images.myspacecdn.com/images02/138/s_b5d5710cc7c643c688cb9190059585e1.jpg
o http://c2.ac-images.myspacecdn.com/images02/143/s_e2eaf1d52c494f1a8295c21673645dc9.jpg
o http://c2.ac-images.myspacecdn.com/images02/105/s_7849bbdde61549b3b936297b82bf566d.jpg
o http://c3.ac-images.myspacecdn.com/images02/150/s_f62cbf8b06464384a44fa720b9ef9ad2.jpg
o http://c3.ac-images.myspacecdn.com/images02/76/s_3e7d858077224ad8941ec0025a7a8152.jpg
o http://c3.ac-images.myspacecdn.com/images02/86/s_afb2dd16869f48d585a77bfd755c49d6.jpg
o http://c3.ac-images.myspacecdn.com/images02/91/s_ab0e4f741e8f406bb613317cf40ddefe.jpg
o http://c3.ac-images.myspacecdn.com/images02/136/s_323207ec333f499b9fb7c1b4f348dd06.jpg
o http://c1.ac-images.myspacecdn.com/images02/2/s_44d5e1944a5f477bb512b2821c627b64.jpg
o http://c1.ac-images.myspacecdn.com/images02/132/s_65705f2d95d243318f29c7afce1746c0.jpg
o http://c1.ac-images.myspacecdn.com/images02/141/s_3e61c0c438c343928084aa19a1de9c14.jpg
o http://c1.ac-images.myspacecdn.com/images02/135/s_437ec1d6ba14407c9676924752d49444.jpg
o http://c1.ac-images.myspacecdn.com/images02/72/s_c967bc26009c4c3690301ae735039268.jpg
o http://c1.ac-images.myspacecdn.com/images02/152/s_d534a488b1664b629f498ec536803ae4.jpg
o http://c1.ac-images.myspacecdn.com/images02/146/s_744639fbed844f04823219905aa09fd8.jpg
o http://c1.ac-images.myspacecdn.com/images02/30/s_ec6c2a9f6fce47c097fb6bcbd753f848.jpg
o http://c1.ac-images.myspacecdn.com/images02/91/s_c07365197b884ea393e09f3f49e7e01c.jpg
o http://c1.ac-images.myspacecdn.com/images02/148/s_dd9a79c603bb497ab787117c0fcf447c.jpg
o http://js.myspacecdn.com/modules/common/static/js/msglobal_bikjy0bb.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/quickpost_qa31tnlg.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_xwrirr_5.js
o http://c4.ac-images.myspacecdn.com/images02/48/s_5fb5b2ad2d544789839db5f6fced814b.jpg
o http://c4.ac-images.myspacecdn.com/images02/133/s_f16eafc5f4a14fb2a2b9fbbfffef087f.jpg
o http://c4.ac-images.myspacecdn.com/images02/93/s_96d4467b8b764ae18244956247f86163.jpg
o http://c4.ac-images.myspacecdn.com/images02/113/s_121dc2802ae34c37a8a3879e24b2ad6f.jpg
o http://c4.ac-images.myspacecdn.com/images02/122/s_ff38bcec0ed74d8e93c1f2f198e2019b.jpg
o http://c4.ac-images.myspacecdn.com/images02/119/s_5e8b4bf0d8f34ebaa45d1932803b0a73.jpg
o http://c4.ac-images.myspacecdn.com/images02/128/s_919bb536d9d64da19e15597df307808b.jpg
o http://c4.ac-images.myspacecdn.com/images02/62/s_ffda2391443d4c3c9c639942caf85dff.jpg
o http://c4.ac-images.myspacecdn.com/images02/73/s_1e553a2d9fcc4f678792f9932c469563.jpg
o http://c4.ac-images.myspacecdn.com/images02/89/s_c0ac0706f47640ddb940c905008dd7e7.jpg
o http://c4.ac-images.myspacecdn.com/images02/110/s_0236cd015f384487af2f0c96995b7657.jpg
o http://c4.ac-images.myspacecdn.com/images02/57/s_b258058f2c1a4a66b42ca1a7dd93c3e3.jpg
o http://c4.ac-images.myspacecdn.com/images01/63/s_3582b81b706a10e40e6c33d7f193c587.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=760917334
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=760917334
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Wb8Tg7Yj0G.b0Ly8Rb7Pg0J&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1274425303307
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xz3Le5Gk6R.b0Qd3Yp5Xu6L/bnum=1274425303229
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Xz3Le5Gk6R.b0Qd3Yp5Xu6L/bnum=1274425303229
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://74.86.97.166/check.php
o http://82.114.87.46/a2re.jpg
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1274425303229&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Xz3Le5Gk6R.b1Xu3Lg5Gw6R&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

JOIN #jakarta test
MODE NEW-[USA|00|P|56967] -ix
JOIN #USA
NICK NEW-[USA|00|P|56967]
USER XP-2562 * 0 :COMPUTERNAME
PONG irc.priv8net.com

There was an outbound traffic produced on port 1234 PASS xxx

* The following ports were open in the system:

Port Protocol Process
1056 TCP infocard.exe (%Windir%infocard.exe)
1093 TCP infocard.exe (%Windir%infocard.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 125 248 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%infocard.exe
[file and pathname of the sample #1] 98 818 bytes MD5: 0x3EBB7F696BA98B3191E4153E6E4838C3
SHA-1: 0x9DBB2CD3AAD87041120B9F8140F065C9D54B51F6 Worm:Win32/Pushbot.gen!C [Microsoft]
packed with PE_Patch.Stolen [Kaspersky Lab]
2 %Windir%mdll.dll 1 406 bytes MD5: 0xD4138D5A69D6DEBBABC12A83D0191FF4
SHA-1: 0x522BCC5F4CD38A4942FA22592718C3E074F8A37F (not available)
3 %Windir%Tempsd.exe 42 620 bytes MD5: 0xD1D4016A1B7E95D02FA57D4E001E77C9
SHA-1: 0x12609483A81FC86FCB82A5AA2B023554B675211A Mal/VB-BL [Sophos]
4 %Windir%wintybrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED (not available)