Infected Target:  192.168.71.130
Score:            1.5 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       204.160.122.124, 89.188.16.34
Peer Coord. List: <unobserved>
Resource List:    192.168.71.2
Observed Start:   06/25/2008 23:45:07.369 PDT
Gen. Time:        06/25/2008 23:50:05.114 PDT

INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    204.160.122.124 (23:45:16.720 PDT)
       event=1:2007772 {tcp} E4[rb] ET MALWARE Suspicious User Agent (Internet Explorer (compatible))
          3010->80 (23:45:16.720 PDT)
       
    89.188.16.34 (23:45:07.369 PDT)
       event=1:2007142 {tcp} E4[rb] ET TROJAN Virtumonde Variant Reporting to Controller via HTTP
          3009->80 (23:45:07.369 PDT)
       
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.71.2 (3) (23:45:16.691 PDT)
       event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 9 IPs (7 /24s) (# pkts S/M/O/I=10/87/5/5): 137u:70, 138u:17
          0->0 (23:45:16.691 PDT)
          0->0 (23:48:02.058 PDT)
          0->0 (23:50:05.114 PDT)
       
ATTACK PREP
    192.168.71.2 (23:45:16.659 PDT)
       event=1:2600109 {udp} E6[rb] SPYWARE-DNS  DNS lookup 14 chars (.com)
          1027->53 (23:45:16.659 PDT)
       
DECLARE BOT
    <unobserved>
    
tcpslice 1214462707.369 1214462707.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.130'