On XP:

Isomorphic behaviors :

At 04:15, a new DLL was pushed without any approval of me or OS notification on the /windows/system32 to the system detected as C or D variant

No trace on registries. Seem to be used by the active infection in memory.

Always same sites connexions for the moment but four google search appeared after this DLL

On WIN2003:

1. Infection Time: 23h55 with copy of sample on WIN2003 system

2. Injection on the system the sample named : gvlwnwlj.yb

3. Infection started

4. Isomorphic behaviors :

- Go to google in 80 port

- Network scanning on 445 port 192.168.1.0/24

After 15 minutes :

Communications with sites .cn, .info, etc. and apply a search with following order: /search ?q=0 but i can note that these sites are completly different than the XP computer.

An answer on http under 445 port get a radmin connexion

Another site send an flr_agent and a magiccontrol

Communications seems to be always with local port 4903 to the 80 of these sites

No OS scheduled tasks were modified or created