178.86.2.16

Remote Host Port Number
178.86.2.16 1234 PASS xxx
204.0.5.42 80
204.0.5.43 80
204.0.5.58 80
207.38.101.11 80
207.38.101.12 80
216.178.38.168 80
63.135.80.58 80
63.135.86.21 80
63.135.86.39 80
64.208.138.214 80

NICK NEW-[USA|00|P|38552]
USER XP-4514 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|38552] -ix
JOIN #!nn! test
PONG 22 MOTD
JOIN #USA

* The data identified by the following URLs was then requested from the remote web server:
o http://c3.ac-images.myspacecdn.com/images02/111/s_31c5c861f6c1455cb1c5643d8ead73c2.jpg
o http://c3.ac-images.myspacecdn.com/images02/82/s_30ef865916274855b681cc82865ac74e.jpg
o http://c3.ac-images.myspacecdn.com/images02/140/s_89ac709e922c455c9356550fce635a82.png
o http://c3.ac-images.myspacecdn.com/images02/139/s_04d9ae61feef424d997726a1123f3f6a.jpg
o http://c3.ac-images.myspacecdn.com/images02/117/s_6d81c12b8a38404f821d9f0db8f4fa1e.jpg
o http://c3.ac-images.myspacecdn.com/images02/130/s_408ca112b7604542af600cc6b58e96a2.jpg
o http://c3.ac-images.myspacecdn.com/images02/142/s_3f7b3880adba47fd97a145aa7ed0c9ba.jpg
o http://c3.ac-images.myspacecdn.com/images02/10/s_d602204a81b8408a8ca983843741b102.jpg
o http://c3.ac-images.myspacecdn.com/images02/146/s_aa5d10df2fd049eb8ff02f991a80db86.jpg
o http://c4.ac-images.myspacecdn.com/images02/142/s_63a6efead2cc4a6a8eed127f937b3de7.jpg
o http://c4.ac-images.myspacecdn.com/images02/146/s_92577834619f45139aa804673d99e88f.jpg
o http://c4.ac-images.myspacecdn.com/images02/64/s_e3e3cba0b61846508935139d55339acb.jpg
o http://c4.ac-images.myspacecdn.com/images02/138/s_c60c1342e1ce48bbb2f7485da360bd7b.jpg
o http://c4.ac-images.myspacecdn.com/images02/10/s_20ff710f61a047c39751a2fe5cc125d7.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_be5cdf4b3bdf4b089a69e943672916bf.jpg
o http://c4.ac-images.myspacecdn.com/images02/106/s_af90c58db23a419a9927687ea9108a6f.jpg
o http://c4.ac-images.myspacecdn.com/images02/114/s_849302d22d314b3ba88b8e77b6e210d3.jpg
o http://c4.ac-images.myspacecdn.com/images02/119/s_1afde5104f764e7eb7f6e76e1589d793.jpg
o http://c4.ac-images.myspacecdn.com/images02/130/s_46571185c2394a71bc5d12485c9a7ee7.jpg
o http://c4.ac-images.myspacecdn.com/images02/60/s_2ccf0c2c3c034653b05cbba959b7d6a3.jpg
o http://c4.ac-images.myspacecdn.com/images02/115/s_57208fc59de74d2aadb881e5545d7087.jpg
o http://c2.ac-images.myspacecdn.com/images02/108/s_f24567f0b2614db990005e944473ef61.jpg
o http://c2.ac-images.myspacecdn.com/images02/114/s_84be4346e7824d95a06854504c7ae569.jpg
o http://c1.ac-images.myspacecdn.com/images02/71/s_109d7fff4fc5449ab327345b18c99c1c.jpg
o http://c1.ac-images.myspacecdn.com/images02/145/s_898a80a031824f80b66e034d67c38dc4.jpg
o http://c2.ac-images.myspacecdn.com/images02/12/s_2df7f45e73fc48c9a1c849eab553c67d.jpg
o http://c2.ac-images.myspacecdn.com/images02/151/s_ad1c28300b554f79a704cdf9ee810e99.jpg
o http://c1.ac-images.myspacecdn.com/images02/124/s_ecf8c71f2f2e45a980ba091e1910bc98.jpg
o http://c1.ac-images.myspacecdn.com/images02/57/s_930b58ce02d04856bce5f151ea11bd34.jpg
o http://c2.ac-images.myspacecdn.com/images02/92/s_a1bcf8ee791e4f988a0c4034fcfacc09.jpg
o http://c1.ac-images.myspacecdn.com/images02/136/s_796a4a16edf843639b55b0a39a7f6518.jpg
o http://c1.ac-images.myspacecdn.com/images02/46/s_d53e18306c0e46018e623ac1245c9c38.jpg
o http://c2.ac-images.myspacecdn.com/images02/141/s_b056528cedf1404dacf65db588d0e635.jpg
o http://c2.ac-images.myspacecdn.com/images02/118/s_f37e84cd6b794d3f940db9ffb7e83ac1.jpg
o http://c1.ac-images.myspacecdn.com/images02/95/s_f4b3961d44664f67a58bad185761cda8.jpg
o http://c2.ac-images.myspacecdn.com/images02/84/s_224a53611b9d49deb8552fb72f63b991.jpg
o http://c1.ac-images.myspacecdn.com/images02/134/s_2f19ce7e93a1456f9a2ddbc59a207ca4.jpg
o http://c2.ac-images.myspacecdn.com/images02/115/s_3c6afd5cdb1f429b80e6653fe9bbd2b5.jpg
o http://c1.ac-images.myspacecdn.com/images02/102/s_40c7ba32e9c4467e95ccb775a0363c20.jpg
o http://c1.ac-images.myspacecdn.com/images02/23/s_962433575636477d970fb2d4fdbfd110.jpg
o http://cdn4.specificclick.net/img/?ag=1&pb=14058&pg=717235041211042621&us=DJXzEdWijDBCMB&nwk=1&rnd=687389
o http://cdn4.specificclick.net/img/id.php
o http://cdn4.specificclick.net/img/qa1.swf?rnd=687389
o http://afe.specificclick.net/AFECheg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=100051118
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=100051118
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Yb8Lh4Gf1V.b0Io8Bl4Fm1M&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1282683293925
o http://fim.adnxs.com/fpt?id=3594&size=728×90&flash=1&cookies=1&callback=C1Kf1An6Xu5S.b0Gp1Bq6Vr5F&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1282683293753
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0154.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_ujzxjul0.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_c4kr8f-5.css
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/07/2e/41/6b2e41b969145dced8b68986565c0286_final.jpg
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kf1An6Xu5S.b1Cb1Ix6Rl5L/bnum=1282683293753
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Kf1An6Xu5S.b1Cb1Ix6Rl5L/bnum=1282683293753
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1282683294456&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1282683293925&r=1&callback=C1Yb8Lh4Gf1V.b1Ne8Ct4Ez1K&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1282683293753&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Kf1An6Xu5S.b2Gp1Bq6Vr5F&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

* The following ports were open in the system:

Port Protocol Process
1061 TCP jusched.exe (%Windir%jusched.exe)
1095 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe 126 976 bytes MD5: 0x66E6B41C5117C8074EBFB810F70D50A3
SHA-1: 0x5D43BBB72005A224A47E264F56D55B674E17BFB9 Trojan:Win32/Ircbrute [Microsoft]

Categories: Uncategorized