Remote Host Port Number
204.0.5.41 80
204.0.5.42 80
204.0.5.48 80
204.0.5.59 80
216.178.38.103 80
216.178.38.168 80
63.135.86.23 80
63.135.86.25 80
63.215.202.6 80
64.208.137.251 80
91.121.13.139 1234 PASS xxx
NICK NEW-[USA|00|P|56391]
USER XP-8966 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|56391] -ix
JOIN #!wm! test
PONG 22 MOTD
* The data identified by the following URLs was then requested from the remote web server:
o http://c2.ac-images.myspacecdn.com/images01/36/s_b424f7974601b62b3f13636283a81879.jpg
o http://c2.ac-images.myspacecdn.com/images02/110/s_952d33b0bd664d5fb4d404ddfd248341.jpg
o http://c2.ac-images.myspacecdn.com/images02/150/s_910fdd591a60411095c42790117e7ef9.jpg
o http://c2.ac-images.myspacecdn.com/images02/114/s_bf1387c0316f436e9c0835fec3b97241.jpg
o http://c2.ac-images.myspacecdn.com/images01/106/s_94c350ed0724bc0fafd57ef618cd7c45.jpg
o http://c2.ac-images.myspacecdn.com/images02/151/s_1d9b68a13f564acdb68e97b97c65fd0d.jpg
o http://c2.ac-images.myspacecdn.com/images02/53/s_102cbacf256b4f218aa2675143a62c51.jpg
o http://c2.ac-images.myspacecdn.com/images01/45/s_5c209390e6a9be2e47fe0477d5c8c3c5.jpg
o http://c3.ac-images.myspacecdn.com/images02/128/s_2a1b8ec7fc3c48b889dd0949307fde06.jpg
o http://c3.ac-images.myspacecdn.com/images02/106/s_698782546d5041d18edc76f79922a25e.jpg
o http://c3.ac-images.myspacecdn.com/images02/82/s_5a9fb48fd04747f188f892763a647f46.jpg
o http://c3.ac-images.myspacecdn.com/images02/81/s_1d43a6a8cdd44ebeb8fb846056eaefb6.gif
o http://c3.ac-images.myspacecdn.com/images02/109/s_95f47c9b63094a66b6fa613a3086528a.jpg
o http://c3.ac-images.myspacecdn.com/images01/32/s_7c50c8212111ec358b5ada030e3ad836.jpg
o http://c3.ac-images.myspacecdn.com/images02/137/s_9b39118789994991b8046835278847ce.jpg
o http://c3.ac-images.myspacecdn.com/images02/148/s_b312743824c14833a9168890d38d934e.jpg
o http://c3.ac-images.myspacecdn.com/images02/75/s_0dc0ce5d87d940ffad462fe51b736092.jpg
o http://c3.ac-images.myspacecdn.com/images02/97/s_2079030a13084a3899329fffa0015d6e.jpg
o http://c1.ac-images.myspacecdn.com/images02/117/s_1ff49851d77b49839d91c5bc27c27ef0.jpg
o http://c1.ac-images.myspacecdn.com/images02/77/s_e5c088e7b8d64d8cbfe3bb4d13191e4c.jpg
o http://c1.ac-images.myspacecdn.com/images01/17/s_e41c760c5be482245fbb8d495633b6c0.jpg
o http://c1.ac-images.myspacecdn.com/images02/137/s_1763b518abf24052b11dd2d346f70534.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_288ef41f61074d3baeadb3b447c069d4.jpg
o http://c1.ac-images.myspacecdn.com/images02/129/s_f1ee619dbd624ef78ea802778e560330.jpg
o http://c1.ac-images.myspacecdn.com/images02/76/s_6810173e37b84b6180e04046fcba3664.jpg
o http://c1.ac-images.myspacecdn.com/images02/139/s_00f345ecb84c4273ab9dfd319611ef58.jpg
o http://c1.ac-images.myspacecdn.com/images02/132/s_a534be11896f4ee4bf5bdbf6ef20f7e0.jpg
o http://c1.ac-images.myspacecdn.com/images02/73/s_936372053362416886195bcb40d237f0.jpg
o http://c1.ac-images.myspacecdn.com/images02/116/s_935fcd0f3ccb465ab6cb347c5e9e6e0c.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_a63a8df36c714e62893a032eb007c508.jpg
o http://c1.ac-images.myspacecdn.com/images02/92/s_e8acc4782c244f61baa7c7ec0b4b39dc.jpg
o http://c1.ac-images.myspacecdn.com/images02/121/s_d7e2af51dd7d4137bab13ca0e962dc74.jpg
o http://c1.ac-images.myspacecdn.com/images02/143/s_81d5f1ee495444299adc7f1c2de2b0e0.jpg
o http://c4.ac-images.myspacecdn.com/images02/94/s_3124f3c8a8d34abc81bd1a50ba77b41b.jpg
o http://c4.ac-images.myspacecdn.com/images02/130/s_ec8317959629416193639e9f638cc2c7.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_d463bf3533b749edb2091cae85cb45cb.jpg
o http://c4.ac-images.myspacecdn.com/images02/152/s_9e9165fef7584bd390ea1de4caf4a9ab.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_b9020abf71414cbfb24027ab3cce494b.jpg
o http://c4.ac-images.myspacecdn.com/images01/91/s_f66a7a632cd96d378a9a242c0aa5d197.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_9dab18bbc2044d2682e6d99a1f603daf.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=123964847
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=123964847
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=198663354974
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Tq6Eg0Gh9F.b0Kt6Tq0Eg9G&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1280410889426
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_a0c24hfu.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_y5kcgkyi.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_747_.jpg
o http://cdn.doubleverify.com/script44.js?agnc=607671&cmp=CINGCP908001CNT&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=2&plc=193886852&advid=607930&sid=193886852&adid=
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Pc1Bx8Tm4U.b0Gh1Nj8Pc4B/bnum=1280410888723
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Pc1Bx8Tm4U.b0Gh1Nj8Pc4B/bnum=1280410888723
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1280410889536&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1280410888723&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Pc1Bx8Tm4U.b1Tm1Uv8Yd4O&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1280410889426&r=1&callback=C1Tq6Eg0Gh9F.b1Ox6Zd0Lb9K&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
* The following ports were open in the system:
Port Protocol Process
1057 TCP jusched.exe (%Windir%jusched.exe)
1091 TCP jusched.exe (%Windir%jusched.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
so that jusched.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs
* Notes:
o %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Windir%jusched.exe
[file and pathname of the sample #1] 356 354 bytes MD5: 0x1FA37E56FBDFC1F4B3E1FB8428C782CE
SHA-1: 0x8E5B6722A5D1EE346889DC7D19351A8D114714B1
2 %Windir%mdll.dl 2 253 bytes MD5: 0x7BA00DFE759A6113E713605A1B91697E
SHA-1: 0x9D4476D4FE1A55AC3BA7C026727D68C52D429A19
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787