Here's an extreme example of IRC bot infection I call Ole McDonald Bot - Here a bot, there a bot, bot bot bot.
TCP table: [snip] PID 1712 68.3.x.xxx:1034 209.126.191.4:6667 ESTABLISHED C:\WINDOWS\System32\IOAHLWI.EXE PID 1608 68.3.x.xxx:1036 203.239.110.5:6667 ESTABLISHED C:\WINDOWS\taskmon32.com PID 1540 68.3.x.xxx:3002 217.148.161.114:6667 ESTABLISHED C:\WINDOWS\System32\SVCHOST32.EXE PID 7196 68.3.x.xxx:3936 216.155.193.171:5050 ESTABLISHED C:\Program Files\Yahoo!\Messenger\YPager.exe PID 0 68.3.x.xxx:4059 68.2.16.25:53 TIME_WAIT PID 9552 68.3.x.xxx:4098 216.154.203.172:80 ESTABLISHED C:\Program Files\Internet Explorer\iexplore.exe PID 9552 68.3.x.xxx:4107 24.98.247.253:80 ESTABLISHED C:\Program Files\Internet Explorer\iexplore.exe PID 9552 68.3.x.xxx:4109 193.108.95.39:80 ESTABLISHED C:\Program Files\Internet Explorer\iexplore.exe PID 1588 68.3.x.xxx:4113 212.83.64.237:6666 SYN_SENT C:\WINDOWS\System32\KANKER.EXE PID 1652 68.3.x.xxx:4114 217.235.94.52:6667 SYN_SENT C:\WINDOWS\System32\service32.exe PID 1684 68.3.x.xxx:4116 65.92.127.118:6667 SYN_SENT C:\WINDOWS\System32\WININI32.EXE
Not the attempt for the Bot distributor to hide it by naming the files *similar* to common Windows Executable names (taskmon32.com, services32.exe, winini32.exe), or random characters (IOAHLWI.EXE).
PID 1660 0.0.0.0:1080 LISTENING C:\WINDOWS\winsock.exe
This looks like a SOCKS proxy NOT the normal Windows Sockets.
Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run: 'Microsoft Windows Media Playr' = 'KANKER.EXE' 'taskmon32' = 'C:\WINDOWS\taskmon32.com' 'RegServices' = 'service32.exe' 'WinOpt' = 'c:\windows\system32\winopt32.exe' 'Windows Socks' = 'C:\WINDOWS\winsock.exe' 'Winsock4 driver' = 'MEDIT32.EXE' 'Wupdate driver' = 'WUPDATE.EXE' 'Windows Configuration' = 'WININI32.EXE' 'Winsock2 driver' = 'IOAHLWI.EXE'