Process :

1. copy of sample named nnfnotto.g

2. injection of the sample on the environment thru rundll32.exe

3. Infection stated

4. Isomorphic behaviors : - Go to google in 80 port - Network scanning on 445 port 192.168.1.0/24

After 15 minutes :

Communications with sites .cn, .info, etc. and apply a search with following order: /search ?q=0

An answer on http under 445 port get a radmin connexion

Another site send an flr_agent and a magiccontrol

Communications seems to be always with local port 4903 to the 80 of these sites

During 2 complete days always the same list of sites are contacted.