Submission Summary:

• Submission details:
• Submission received: 27 May 2009, 13:14:53
• Processing time: 5 min 42 sec
• Submitted sample:
• File MD5: 0x07E1EC9001D932721294DAF6F0EE4F6D
• File SHA-1: 0x467166EAFEAB260D585A1BB95F611E7E1A3EC41A
• Filesize: 13,824 bytes
• Alias:
• Worm.Hamweg.Gen [PCTools]
• W32.Ircbrute [Symantec]
• IRC-Worm.Win32.Small.am [Kaspersky Lab]
• WORM_AUTORUN.RYU [Trend Micro]
• W32/Autoham-Fam [Sophos]
• Worm:Win32/Hamweq.A [Microsoft]
• Worm.Win32.Hamweq [Ikarus]
• Win-Trojan/Agent.13824.FE [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Creates desktop.ini system file in the fake Recycle Bin folder in order to register it in Windows as a valid Recycle Bin.
Creates an executable file in the fake Recycle Bin folder with the purpose of concealing its presence in the system.
Creates fake Recycle Bin folder.
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Worm.Autorun.DHA	Worm.AutoRun.DHA is a network-aware worm that attempts to replicate across the existing network(s).

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini	62 bytes	MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514	(not available)
2	c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iqe32.exe [file and pathname of the sample #1]	13,824 bytes	MD5: 0x07E1EC9001D932721294DAF6F0EE4F6D SHA-1: 0x467166EAFEAB260D585A1BB95F611E7E1A3EC41A	Worm.Hamweg.Gen [PCTools] W32.Ircbrute [Symantec] IRC-Worm.Win32.Small.am [Kaspersky Lab] WORM_AUTORUN.RYU [Trend Micro] W32/Autoham-Fam [Sophos] Worm:Win32/Hamweq.A [Microsoft] Worm.Win32.Hamweq [Ikarus] Win-Trojan/Agent.13824.FE [AhnLab]

• The following directory was created:
• c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
• StubPath = "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iqe32.exe"

so that iqe32.exe runs every time Windows starts

Other details

• The following Host Name was requested from a host database:
• usb.ma7d.com

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below: