91.121.13.139 – Inside Your Botnet

Remote Host Port Number
204.0.5.41 80
204.0.5.42 80
204.0.5.48 80
204.0.5.59 80
216.178.38.103 80
216.178.38.168 80
63.135.86.23 80
63.135.86.25 80
63.215.202.6 80
64.208.137.251 80
91.121.13.139 1234 PASS xxx

NICK NEW-[USA|00|P|56391]
USER XP-8966 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|56391] -ix
JOIN #!wm! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://c2.ac-images.myspacecdn.com/images01/36/s_b424f7974601b62b3f13636283a81879.jpg
o http://c2.ac-images.myspacecdn.com/images02/110/s_952d33b0bd664d5fb4d404ddfd248341.jpg
o http://c2.ac-images.myspacecdn.com/images02/150/s_910fdd591a60411095c42790117e7ef9.jpg
o http://c2.ac-images.myspacecdn.com/images02/114/s_bf1387c0316f436e9c0835fec3b97241.jpg
o http://c2.ac-images.myspacecdn.com/images01/106/s_94c350ed0724bc0fafd57ef618cd7c45.jpg
o http://c2.ac-images.myspacecdn.com/images02/151/s_1d9b68a13f564acdb68e97b97c65fd0d.jpg
o http://c2.ac-images.myspacecdn.com/images02/53/s_102cbacf256b4f218aa2675143a62c51.jpg
o http://c2.ac-images.myspacecdn.com/images01/45/s_5c209390e6a9be2e47fe0477d5c8c3c5.jpg
o http://c3.ac-images.myspacecdn.com/images02/128/s_2a1b8ec7fc3c48b889dd0949307fde06.jpg
o http://c3.ac-images.myspacecdn.com/images02/106/s_698782546d5041d18edc76f79922a25e.jpg
o http://c3.ac-images.myspacecdn.com/images02/82/s_5a9fb48fd04747f188f892763a647f46.jpg
o http://c3.ac-images.myspacecdn.com/images02/81/s_1d43a6a8cdd44ebeb8fb846056eaefb6.gif
o http://c3.ac-images.myspacecdn.com/images02/109/s_95f47c9b63094a66b6fa613a3086528a.jpg
o http://c3.ac-images.myspacecdn.com/images01/32/s_7c50c8212111ec358b5ada030e3ad836.jpg
o http://c3.ac-images.myspacecdn.com/images02/137/s_9b39118789994991b8046835278847ce.jpg
o http://c3.ac-images.myspacecdn.com/images02/148/s_b312743824c14833a9168890d38d934e.jpg
o http://c3.ac-images.myspacecdn.com/images02/75/s_0dc0ce5d87d940ffad462fe51b736092.jpg
o http://c3.ac-images.myspacecdn.com/images02/97/s_2079030a13084a3899329fffa0015d6e.jpg
o http://c1.ac-images.myspacecdn.com/images02/117/s_1ff49851d77b49839d91c5bc27c27ef0.jpg
o http://c1.ac-images.myspacecdn.com/images02/77/s_e5c088e7b8d64d8cbfe3bb4d13191e4c.jpg
o http://c1.ac-images.myspacecdn.com/images01/17/s_e41c760c5be482245fbb8d495633b6c0.jpg
o http://c1.ac-images.myspacecdn.com/images02/137/s_1763b518abf24052b11dd2d346f70534.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_288ef41f61074d3baeadb3b447c069d4.jpg
o http://c1.ac-images.myspacecdn.com/images02/129/s_f1ee619dbd624ef78ea802778e560330.jpg
o http://c1.ac-images.myspacecdn.com/images02/76/s_6810173e37b84b6180e04046fcba3664.jpg
o http://c1.ac-images.myspacecdn.com/images02/139/s_00f345ecb84c4273ab9dfd319611ef58.jpg
o http://c1.ac-images.myspacecdn.com/images02/132/s_a534be11896f4ee4bf5bdbf6ef20f7e0.jpg
o http://c1.ac-images.myspacecdn.com/images02/73/s_936372053362416886195bcb40d237f0.jpg
o http://c1.ac-images.myspacecdn.com/images02/116/s_935fcd0f3ccb465ab6cb347c5e9e6e0c.jpg
o http://c1.ac-images.myspacecdn.com/images02/120/s_a63a8df36c714e62893a032eb007c508.jpg
o http://c1.ac-images.myspacecdn.com/images02/92/s_e8acc4782c244f61baa7c7ec0b4b39dc.jpg
o http://c1.ac-images.myspacecdn.com/images02/121/s_d7e2af51dd7d4137bab13ca0e962dc74.jpg
o http://c1.ac-images.myspacecdn.com/images02/143/s_81d5f1ee495444299adc7f1c2de2b0e0.jpg
o http://c4.ac-images.myspacecdn.com/images02/94/s_3124f3c8a8d34abc81bd1a50ba77b41b.jpg
o http://c4.ac-images.myspacecdn.com/images02/130/s_ec8317959629416193639e9f638cc2c7.jpg
o http://c4.ac-images.myspacecdn.com/images02/132/s_d463bf3533b749edb2091cae85cb45cb.jpg
o http://c4.ac-images.myspacecdn.com/images02/152/s_9e9165fef7584bd390ea1de4caf4a9ab.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_b9020abf71414cbfb24027ab3cce494b.jpg
o http://c4.ac-images.myspacecdn.com/images01/91/s_f66a7a632cd96d378a9a242c0aa5d197.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_9dab18bbc2044d2682e6d99a1f603daf.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=123964847
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=123964847
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=198663354974
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Tq6Eg0Gh9F.b0Kt6Tq0Eg9G&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1280410889426
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_a0c24hfu.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_y5kcgkyi.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_747_.jpg
o http://cdn.doubleverify.com/script44.js?agnc=607671&cmp=CINGCP908001CNT&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=2&plc=193886852&advid=607930&sid=193886852&adid=
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Pc1Bx8Tm4U.b0Gh1Nj8Pc4B/bnum=1280410888723
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Pc1Bx8Tm4U.b0Gh1Nj8Pc4B/bnum=1280410888723
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1280410889536&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1280410888723&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Pc1Bx8Tm4U.b1Tm1Uv8Yd4O&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1280410889426&r=1&callback=C1Tq6Eg0Gh9F.b1Ox6Zd0Lb9K&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

* The following ports were open in the system:

Port Protocol Process
1057 TCP jusched.exe (%Windir%jusched.exe)
1091 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

* Notes:
o %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%jusched.exe
[file and pathname of the sample #1] 356 354 bytes MD5: 0x1FA37E56FBDFC1F4B3E1FB8428C782CE
SHA-1: 0x8E5B6722A5D1EE346889DC7D19351A8D114714B1
2 %Windir%mdll.dl 2 253 bytes MD5: 0x7BA00DFE759A6113E713605A1B91697E
SHA-1: 0x9D4476D4FE1A55AC3BA7C026727D68C52D429A19
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787