Infected Target: 192.168.184.132 Score: 1.8 (>= 0.8) Infector List: Egg Source List: C & C List: 222.254.25.22 Peer Coord. List: Resource List: Observed Start: 06/18/2008 22:15:26.426 PDT Gen. Time: 06/18/2008 22:20:29.395 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 222.254.25.22 (22:15:26.426 PDT) event=1:2007701 {udp} E4[rb] ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1) 5650->26824 (22:15:26.426 PDT) PEER COORDINATION OUTBOUND SCAN 217.53.194.142 (22:16:06.512 PDT) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=3/84/110/4): 2836u:1, 53u:2, 123u:2, 28827u:1, 26391u:1, 1900u:3, 20142u:1, 80:1, 25606u:1, 23753u:1, 7404u:1, 5860u:1 0->0 (22:16:06.512 PDT) 207.70.157.60 (2) (22:18:33.638 PDT) event=777:7777005 (2) {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=3/88/162/4): 2836u:1, 25606u:1, 30963u:1, 53u:2, 123u:2, 28827u:1, 26391u:1, 14455u:1, 14579u:1, 1900u:3, 20142u:1, 21776u:1 0->0 (22:18:33.638 PDT) 0->0 (22:20:29.395 PDT) 192.168.184.2 (22:15:26.426 PDT) event=777:7777005 {udp} E5[bh] Detected moderate malware port scanning of 9 IPs (7 /24s) (# pkts S/M/O/I=3/83/8/4): 137u:67, 138u:16 0->0 (22:15:26.426 PDT) ATTACK PREP DECLARE BOT 192.168.184.2 (22:15:26.429 PDT) event=777:7777008 {udp} E8[bh] Detected intense malware port scanning of 21 IPs (19 /24s) (# pkts S/M/O/I=3/83/20/4): 137u:67, 138u:16 0->0 (22:15:26.429 PDT) tcpslice 1213852526.426 1213852526.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.184.132'