Remote Host Port Number
204.0.5.41 80
204.0.5.42 80
204.0.5.48 80
204.0.5.50 80
204.0.5.51 80
204.0.5.57 80
216.178.38.103 80
216.178.38.168 80
63.135.86.23 80
63.135.86.39 80
216.246.77.59 1234 PASS xxx
NICK NEW-[USA|00|P|92609]
USER XP-5012 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|92609] -ix
JOIN #jakarta test
JOIN #USA
PONG irc.priv8net.com
* The data identified by the following URLs was then requested from the remote web server:
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://c3.ac-images.myspacecdn.com/images02/122/s_2d7b0d28cccd4f279d8af332ce66c832.jpg
o http://c3.ac-images.myspacecdn.com/images02/136/s_7bdffafb10574cad85c2aa237a456c0e.jpg
o http://c4.ac-images.myspacecdn.com/images02/31/s_8c4f92256f0c4a37bd4fdcbe5b5e429f.jpg
o http://c4.ac-images.myspacecdn.com/images02/130/s_03bc0f5443e6483db30dfa264bf16777.jpg
o http://c4.ac-images.myspacecdn.com/images02/127/s_7c945673e18c4a898f7936ef9a74a44b.jpg
o http://c3.ac-images.myspacecdn.com/images01/47/s_2db3570d21f3aa0402e213c5546c1482.jpg
o http://c3.ac-images.myspacecdn.com/images02/137/s_4f05fea0cd5f4af585ad172555340bd2.jpg
o http://c4.ac-images.myspacecdn.com/images02/142/s_467aa52dc26f40e6bb2380ac563f350f.jpg
o http://c3.ac-images.myspacecdn.com/images02/72/s_0ef6045c68b842ce9ca8cc188abd5dea.jpg
o http://c4.ac-images.myspacecdn.com/images02/47/s_599fb78397f04ddd9e5abf7fc29b26eb.jpg
o http://c4.ac-images.myspacecdn.com/images02/143/s_0fd2dd31a4b6472cbfa6040ab7c0437f.jpg
o http://c4.ac-images.myspacecdn.com/images02/119/s_3b8d81755e4340328eca0ddb606a9fff.jpg
o http://c4.ac-images.myspacecdn.com/images02/141/s_572fc0a5b8b0484b92c62810238fe5c3.jpg
o http://c4.ac-images.myspacecdn.com/images02/104/s_d231eb1fa26c4760b54f21d7a28ec063.jpg
o http://c4.ac-images.myspacecdn.com/images02/149/s_383c649c192c49f2a37526cf8868917f.jpg
o http://c4.ac-images.myspacecdn.com/images02/46/s_e336bf8e7d3d4c0e9311df9e3c3e848b.jpg
o http://c4.ac-images.myspacecdn.com/images02/78/s_5f3e7c539d294400aae9c6636e0fe7db.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://c1.ac-images.myspacecdn.com/images02/56/s_f7e03ac0794b41a29fc8f853ecc995f4.jpg
o http://c1.ac-images.myspacecdn.com/images02/139/s_6defdf7223204142b8aa891977637abc.jpg
o http://c1.ac-images.myspacecdn.com/images02/138/s_0e2cc3cafaf342bbabe87b76a0fc0fc4.jpg
o http://c1.ac-images.myspacecdn.com/images02/141/s_45b6bfde43274d2caf878ecb2e547d10.jpg
o http://c1.ac-images.myspacecdn.com/images02/57/s_a9dc1054b2c149e5b591844e3be44080.jpg
o http://c1.ac-images.myspacecdn.com/images02/103/s_107150c6debd4246b2cedf6e463e62c8.jpg
o http://c1.ac-images.myspacecdn.com/images01/32/s_0a1e15faffbe602369be546b06cb4d94.jpg
o http://c1.ac-images.myspacecdn.com/images02/84/s_717583875f56453f8defbe03a6d3eaa8.jpg
o http://c1.ac-images.myspacecdn.com/images02/112/s_fa9f6847fbba484aa0b39d130c3570f8.jpg
o http://c1.ac-images.myspacecdn.com/images02/73/s_335da2ee61334cec8649e0aec8c59c70.jpg
o http://c1.ac-images.myspacecdn.com/images02/2/s_10d5f89c712844b690579d005b6d6a4c.jpg
o http://c2.ac-images.myspacecdn.com/images02/122/s_fbc336d1738444768403b54cc447b3c5.jpg
o http://c2.ac-images.myspacecdn.com/images02/125/s_9b713d7ac50f4b9c854cac73af0a3161.jpg
o http://c2.ac-images.myspacecdn.com/images02/124/s_268b0bd051e642c4be18f4f0a1589eb9.jpg
o http://c2.ac-images.myspacecdn.com/images02/125/s_969ad90cd49043f5aa8198a6ff9c2ed1.jpg
o http://c2.ac-images.myspacecdn.com/images02/49/s_f74f898e3ac24076a583c04550a0e1bd.jpg
o http://c2.ac-images.myspacecdn.com/images02/104/s_1b396c7ed2c74e7dab5f0460d2b53f31.jpg
o http://c2.ac-images.myspacecdn.com/images02/122/s_7227de5895d347e9a569fbd65c2c0391.jpg
o http://c2.ac-images.myspacecdn.com/images01/116/s_f5a1a3ca9856bfe1d17b72149160b56d.jpg
o http://c2.ac-images.myspacecdn.com/images02/21/s_99fa8e700d6d40a0ba2efc5f58c138b9.jpg
o http://c2.ac-images.myspacecdn.com/images02/126/s_f9cdf2ad2f114a458fd844ad77b97955.jpg
o http://c2.ac-images.myspacecdn.com/images02/123/s_02602aa226224f4f968446b332c5f401.jpg
o http://c2.ac-images.myspacecdn.com/images02/61/s_c39db3c6f76748a08f2d3617709ca7d9.jpg
o http://js.myspacecdn.com/modules/common/static/js/msglobal_bikjy0bb.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/quickpost_qa31tnlg.js
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_xwrirr_5.js
o http://1.download.advertise.myspace.com/0a/ea/6c/07ea6c1682f3ac601600631a1a4dcc31_final.jpg
o http://rmd.atdmt.com/tl/DocumentDotWrite.js
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=272349007
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=272349007
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=254064692571
o http://rd.apmebf.com/w/get.media?sid=54674&tp=5&d=j&t=n&host=media.fastclick.net
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Jo2Md5Nu4S.b0Jo2Md5Nu4S&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1276006930137
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kk4Ua9Lm8X.b0Pw4Kk9Ua8L/bnum=1276006930059
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kk4Ua9Lm8X.b0Pw4Kk9Ua8L/bnum=1276006930059
o http://view.atdmt.com/MRT/iview/213992507/direct;wi.728;hi.90/01/20100608123351/?click=http://media.fastclick.net/w/click.here?cid=168007;mid=417696;sid=54674;m=1;c=0;forced_click=
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1276006930059&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Kk4Ua9Lm8X.b1Hz4Ab9Vt8Z&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1276006930137&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Jo2Md5Nu4S.b1Wp2Gw5Ug4B&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
Other details
* The following ports were open in the system:
Port Protocol Process
1059 TCP infocard.exe (%Windir%infocard.exe)
1089 TCP infocard.exe (%Windir%infocard.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”
so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”
so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ PrivDiscUiShown = 0x00000001
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Admin = “%Windir%infocard.exe”
so that infocard.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 133 440 bytes
[filename of the sample #1] [file and pathname of the sample #1] 147 456 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Windir%infocard.exe
[file and pathname of the sample #1] 147 456 bytes MD5: 0x9FF96730CDE6BBD98C8B4B11246F4B47
SHA-1: 0xC8DAF8CE1C940FE4F63344BBF45BB6134109A20E
2 %Windir%mdll.dll 2 115 bytes MD5: 0x15B4376FA888FCEC2589B7949F8578AB
SHA-1: 0x2172D4438A768428FF8453FF753CC01A6368193F
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787
07_TeddyF_Silvey0 - June 8, 2010 at 6:16 pm
河水永遠是相同的,可是每一剎那又都是新的。...........................................................................