NAME ==== Zotob.H + WORM_ZOTOB.Z (TrendMicro) + W32.Zotob.H (Symantec) EXPERIMENTAL TYPE ================= Retrieval Behavior - includes retrieval packets only. EXPERIMENTAL ENVIRONMENT ======================== 131.113.1.1 131.113.1.2 +-----------+ +-----+-----+ | Infected | | Targeted | | PC | | PC | | (*1)(*2) | | | +-----+-----+ +-----+-----+ | | ------+----------------------------+------ 131.113.1.0/31 (*1) Windows XP on VMware (*2) Default Route = 131.113.1.2 PCAP SUMMARY ============ Total: 50893 START: 1 0.000000 ----------------- 445/TCP;: 24860 1 0.000000 131.113.1.1 131.113.0.33 TCP 1039 > 445 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 ----------------- 6667/TCP;: 1 66 1.575812 131.113.1.1 24.128.76.161 TCP 1104 > 6667 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460