64.202.120.49

Remote Host Port Number
204.0.5.41 80
204.0.5.42 80
204.0.5.43 80
204.0.5.48 80
204.0.5.51 80
207.38.101.12 80
216.178.38.103 80
216.178.38.168 80
63.135.86.21 80
63.135.86.37 80
64.202.120.49 81 ircd here PASS xxx

JOIN #XXL test
PONG 22 MOTD
NICK NEW-[USA|00|P|16828]
USER XP-8033 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|16828] -ix

* The data identified by the following URLs was then requested from the remote web server:
o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://c2.ac-images.myspacecdn.com/images02/96/s_ba4f33bddaf4412fabdea854af63a2b5.jpg
o http://c2.ac-images.myspacecdn.com/images01/16/s_dc120d025da53e901efd56096c2a9521.jpg
o http://c2.ac-images.myspacecdn.com/images02/136/s_f536f55999034ecdaa202b9a407cfd79.jpg
o http://c2.ac-images.myspacecdn.com/images02/62/s_da29c4523d734e26b79ed362a6915a19.jpg
o http://c2.ac-images.myspacecdn.com/images02/142/s_2a0e324c7ae24095a6adba914730cb31.jpg
o http://c2.ac-images.myspacecdn.com/images02/126/s_88693ee1d2ef47ac83fe8caf9de817c5.jpg
o http://c2.ac-images.myspacecdn.com/images02/138/s_38f309ac903f4099a417a4f42a636f95.jpg
o http://c2.ac-images.myspacecdn.com/images02/121/s_675a25064d344ec29c7934f8b9b3a365.jpg
o http://c3.ac-images.myspacecdn.com/images01/79/s_bc53a93d260a174052c439ef3f333556.jpg
o http://c3.ac-images.myspacecdn.com/images01/115/s_67c1f995569b308df99a0c11b6c683da.jpg
o http://c3.ac-images.myspacecdn.com/images01/69/s_db91ab34dac90bb409bcc57d9496f2be.jpg
o http://c3.ac-images.myspacecdn.com/images02/98/s_e9d4ed93a579412abdf87e515d691fbe.jpg
o http://c3.ac-images.myspacecdn.com/images02/145/s_d39182a18122406b957f003a3991f442.jpg
o http://c3.ac-images.myspacecdn.com/images02/134/s_326c0257f1874185a311b05e91fac89a.png
o http://c3.ac-images.myspacecdn.com/images02/113/s_a00fa847b9254feab2fcf66519f1db42.jpg
o http://c3.ac-images.myspacecdn.com/images02/138/s_b9fc329e6995431cb50bb6673387ce92.jpg
o http://c3.ac-images.myspacecdn.com/images02/91/s_7da912e07cb2400b91f2c8f1a734ec7e.jpg
o http://c3.ac-images.myspacecdn.com/images02/68/s_50f4b3ac8abf4a579fe24bba25015396.jpg
o http://c4.ac-images.myspacecdn.com/images02/135/s_d94e94dbb4714327b69f23f70e26e597.jpg
o http://c4.ac-images.myspacecdn.com/images02/130/s_0654dc62774b4c6d97af4c6e0bf99157.jpg
o http://c4.ac-images.myspacecdn.com/images02/84/s_244e4ab6e73e48d585189f7b1852535b.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_6671a3abb7e04b7692c39c70b2972643.jpg
o http://c4.ac-images.myspacecdn.com/images02/142/s_c5559a6cbb864746a367ad981e1874df.jpg
o http://c4.ac-images.myspacecdn.com/images02/119/s_1cab4e21155f4d799431e1d8dd83c137.jpg
o http://c4.ac-images.myspacecdn.com/images02/58/s_97a6072570e846e092954fa5dffd3e5f.jpg
o http://c4.ac-images.myspacecdn.com/images02/145/s_9aa6dbad4aac44d09ef188514783f857.jpg
o http://c4.ac-images.myspacecdn.com/images02/117/s_fdbb8e460d214f438a3e42f6b9b805a3.jpg
o http://c4.ac-images.myspacecdn.com/images02/147/s_47456d3693474297ae368700777e2bf3.jpg
o http://c4.ac-images.myspacecdn.com/images02/135/s_353b33afe3db45c0b42d044c293d5b4b.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://c1.ac-images.myspacecdn.com/images02/61/s_cd2e69d71d434248b910ea8f65ddb4c4.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_7e9fb4028b0841c5bfeef62eb5f30f6c.jpg
o http://c1.ac-images.myspacecdn.com/images02/30/s_ee88089b445b46fd9bb84793787e3754.jpg
o http://c1.ac-images.myspacecdn.com/images02/114/s_5f08c4d9e2b041b98088be162a8d2ebc.jpg
o http://c1.ac-images.myspacecdn.com/images02/114/s_a89ecaa6446e4362be7914c76ae64804.jpg
o http://c1.ac-images.myspacecdn.com/images02/18/s_fed0e8696b9b41768dd5e7516c26e5c4.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_414340b67d7848dcb46da06bdad3afb0.jpg
o http://js.myspacecdn.com/modules/common/static/js/msglobal_bikjy0bb.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/quickpost_qa31tnlg.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_xwrirr_5.js
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=952542277
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=952542277
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Bq0Mh5Re3J.b0Gz0Nw5Bp3M&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1274722300857
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Uy5Fo4Dx8T.b0Dx5Tw4Sq8Z/bnum=1274722300779
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Uy5Fo4Dx8T.b0Dx5Tw4Sq8Z/bnum=1274722300779
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://74.86.97.166/check.php

Other details

* The following ports were open in the system:

Port Protocol Process
1056 TCP infocard.exe (%Windir%infocard.exe)
1081 TCP infocard.exe (%Windir%infocard.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 129 344 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%infocard.exe
[file and pathname of the sample #1] 111 104 bytes MD5: 0x28BF785B3148F4CD2B98013999329B1C
SHA-1: 0x3BA08360C767045CC31281F54B2400BF8854B984
2 %Windir%mdll.dll 1 423 bytes MD5: 0x89D34C1901314FF1286FFF389B64CF02
SHA-1: 0x7C29052F996257BCF65CED4C913E09F545EFAD5B
3 %Windir%wintybrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787