Infected Target:  192.168.71.2
Score:            1.2 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    192.168.71.152
Observed Start:   07/02/2008 22:47:38.917 PDT
Gen. Time:        07/02/2008 22:53:24.172 PDT

INBOUND SCAN
    192.168.71.152 (4) (22:45:38.937 PDT)
       event=777:7777001 (4) {udp} E1[bh] Detected moderate malware scan by 192.168.71.152 (# pkts S/M/O/I=3/141/2/12) of 6 IPs:  192.168.71.2.{137,53} 192.168.71.255.{137,138} 192.168.71.153.137 192.168.71.254.67
          0<-0 (22:45:38.937 PDT)
          0<-0 (22:47:38.917 PDT)
          0<-0 (22:49:38.867 PDT)
          0<-0 (22:51:38.868 PDT)
       
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.71.152 (4) (22:47:38.917 PDT)
       event=777:7777005 (4) {udp} E5[bh] Detected moderate malware port scanning of 9 IPs (5 /24s) (# pkts S/M/O/I=7/144/6/10): 137u:126, 138u:18
          0<-0 (22:47:38.917 PDT)
          0<-0 (22:49:08.013 PDT)
          0<-0 (22:51:38.868 PDT)
          0<-0 (22:53:24.172 PDT)
       
ATTACK PREP
    192.168.71.152 (22:49:08.013 PDT)
       event=1:2600268 {udp} E6[rb] SPYWARE-DNS  DNS lookup 6 chars (.info)
          53<-1026 (22:49:08.013 PDT)
       
DECLARE BOT
    <unobserved>
    
tcpslice 1215064058.917 1215064058.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.2'