210.170.62.106

Remote Host Port Number
204.0.5.42 80
204.0.5.58 80
204.0.5.59 80
216.178.38.103 80
216.178.38.168 80
63.135.86.25 80
63.135.86.39 80
63.215.202.6 80
63.215.202.9 80
64.208.138.221 80
210.170.62.106 2345 PASS xxx

JOIN #!gf! test
MODE NEW-[USA|00|P|62925] -ix
NICK NEW-[USA|00|P|62925]
USER XP-2516 * 0 :COMPUTERNAME
PONG irc.priv8net.com

* The data identified by the following URLs was then requested from the remote web server:
o http://c3.ac-images.myspacecdn.com/images02/89/s_437e756ce54a4b608079fb72080bd8f6.jpg
o http://c3.ac-images.myspacecdn.com/images01/89/s_9d6da2a1b513fed4964fce9fa09146f2.jpg
o http://c3.ac-images.myspacecdn.com/images02/98/s_84f42ca2d1e8408b98a71c273afe82c6.jpg
o http://c3.ac-images.myspacecdn.com/images02/119/s_4e587f0473844ad385d27849d8e2bd2e.jpg
o http://c3.ac-images.myspacecdn.com/images01/20/s_aeab8c63d06898e72613ed5b85470c7a.jpg
o http://c3.ac-images.myspacecdn.com/images02/59/s_d213823dc7ce4e5d82bfeed0c50e6042.jpg
o http://c3.ac-images.myspacecdn.com/images02/132/s_d6e37beb1dff4c63b9b806e07192deba.jpg
o http://c3.ac-images.myspacecdn.com/images02/151/s_3341c6c0a80c4827ace6afe4e0fa4e7e.jpg
o http://c3.ac-images.myspacecdn.com/images02/52/s_a274ee51459d4e45b17e441604a3d45e.jpg
o http://c3.ac-images.myspacecdn.com/images02/67/s_7be63826d4ee40468b4c573f79bcdd56.jpg
o http://c3.ac-images.myspacecdn.com/images02/108/s_a3233da81ec74d858de6f86f26d1a74a.jpg
o http://c1.ac-images.myspacecdn.com/images02/110/s_8a8813d2492c4e749835616ccd1108f8.jpg
o http://c1.ac-images.myspacecdn.com/images02/150/s_62d7118ada5b48c3814a61290a66480c.jpg
o http://c1.ac-images.myspacecdn.com/images02/13/s_e316dc1110864be6a9b52a4b596d1888.jpg
o http://c2.ac-images.myspacecdn.com/images02/12/s_a820b7a0a1024099b99b7bb41881ca39.jpg
o http://c2.ac-images.myspacecdn.com/images01/83/s_d4dd8b99a8539c3f3c32048c565b1361.jpg
o http://c1.ac-images.myspacecdn.com/images02/136/s_f2c0226d09704c528bcdfb022c7ec7d0.jpg
o http://c1.ac-images.myspacecdn.com/images02/145/s_259d383bf1f74fee9eb0a0eae348ccb0.jpg
o http://c1.ac-images.myspacecdn.com/images02/146/s_16633fbc5cb04102952e268cf0ed7250.gif
o http://c2.ac-images.myspacecdn.com/images02/71/s_ea13584a835c42d2b00d5c52f2a41335.jpg
o http://c2.ac-images.myspacecdn.com/images02/143/s_d4cf4fb0da8146a18f6c0ac06993e3c9.jpg
o http://c2.ac-images.myspacecdn.com/images02/137/s_167a23510a90409c8d38373bcce65561.jpg
o http://c2.ac-images.myspacecdn.com/images02/52/s_b1ef178a2163416781e4205088e00225.gif
o http://c1.ac-images.myspacecdn.com/images02/125/s_f5851d30cbc5410c81cc24e9e2d3f980.jpg
o http://c1.ac-images.myspacecdn.com/images02/93/s_97baf22eb1eb49be9545aeff803b15c8.jpg
o http://c2.ac-images.myspacecdn.com/images02/124/s_0955ebdce65142c5a1766e0177d06b55.jpg
o http://c2.ac-images.myspacecdn.com/images02/127/s_52d3d5cb834245d386135b984ca6de01.jpg
o http://c1.ac-images.myspacecdn.com/images02/121/s_a4667210a9b14b49a0da0218591e3a90.jpg
o http://c2.ac-images.myspacecdn.com/images02/65/s_fb0a9d9a872142099af320be6d794b59.jpg
o http://c2.ac-images.myspacecdn.com/images02/135/s_5ff7688cdd7e4a659031a6cebbeb197d.jpg
o http://c2.ac-images.myspacecdn.com/images02/117/s_4fec7bbf4b1d427e921d878aedaff821.jpg
o http://c4.ac-images.myspacecdn.com/images02/134/s_53b89420390d46dc9716cca2b65466c3.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_157b8f16be6943ca8b4c225f6af6312f.jpg
o http://c4.ac-images.myspacecdn.com/images02/99/s_469a6f05bb14443493fa8d4b3adc6127.jpg
o http://c4.ac-images.myspacecdn.com/images02/105/s_53d84cabef494393834cf7f096d4a063.jpg
o http://c4.ac-images.myspacecdn.com/images02/134/s_3b5b7d5c91ab4a4097cbc8f6ad954983.jpg
o http://c4.ac-images.myspacecdn.com/images02/39/s_cc0e42b516014fdc8e6615e3c41ec903.jpg
o http://c4.ac-images.myspacecdn.com/images02/84/s_89ef2ffe3e2647508dca1037b46c8ab7.jpg
o http://c4.ac-images.myspacecdn.com/images02/62/s_a8e4c29a9bad43b6b6a28b0609d00b83.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=050122894
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=050122894
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=804739802937
o http://rd.apmebf.com/w/get.media?sid=54674&tp=5&d=j&t=n&host=media.fastclick.net
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Qx7Ua2Ld9D.b0Ua7Ld2Dv9X&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1280591533533
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_a0c24hfu.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://1.download.advertise.myspace.com/03/1f/bf/bd1fbf9e3437c71996a5000fd8a10312_final.jpg
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/common/static/css/global_y5kcgkyi.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ac9Nq8Xb3D.b0Ug9Ac8Nq3X/bnum=1280591533502
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Ac9Nq8Xb3D.b0Ug9Ac8Nq3X/bnum=1280591533502
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1280591533814&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796250&_salt=1280591533533&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Qx7Ua2Ld9D.b1St7Qx2Ua9L&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1280591533502&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Ac9Nq8Xb3D.b1Xb9Du8Mh3K&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

Other details

* The following ports were open in the system:

Port Protocol Process
1056 TCP jusched.exe (%Windir%jusched.exe)
1092 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe 105 472 bytes MD5: 0x84788D49456B6DA3973C831AF64BBA4A
SHA-1: 0xED61EF2E97CA93D030A8C4204ED64B9AA8EDC956 Malware.Yimfoca [PCTools]
W32.Yimfoca!gen3 [Symantec]
Mal/Generic-L [Sophos]
Trojan:Win32/Malagent [Microsoft]
Gen.Variant [Ikarus]
2 %Windir%mdll.dl 2 188 bytes MD5: 0xDBD32A17BD175EBC21C1D7EECE287A46
SHA-1: 0x60916672F2B5EB1187F0F9FA1370AB94376E19C5 (not available)
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283 (not available)
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787 (not available)