Infected Target:  192.168.71.171
Score:            1.5 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       85.92.158.75
Peer Coord. List: <unobserved>
Resource List:    192.168.71.2
Observed Start:   07/10/2008 22:01:42.785 PDT
Gen. Time:        07/10/2008 22:07:17.910 PDT

INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    85.92.158.75 (22:01:42.785 PDT)
       event=1:2008371 {tcp} E4[rb] ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent)
          3007->80 (22:01:42.785 PDT)
       
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.71.2 (2) (22:01:50.266 PDT)
       event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=176/13/4/5): 53u:20, 123u:1, 1900u:3, 80:156
          0->0 (22:01:50.266 PDT)
          0->0 (22:04:27.675 PDT)
       
ATTACK PREP
    192.168.71.2 (22:01:47.885 PDT)
       event=1:2600151 {udp} E6[rb] SPYWARE-DNS  DNS lookup 9 chars (.com)
          3024->53 (22:01:47.885 PDT)
       
DECLARE BOT
    <unobserved>
    
tcpslice 1215752502.785 1215752502.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.171'