Submission Summary:

• Submission details:
• Submission received: 11 March 2009, 23:33:37
• Processing time: 7 min 17 sec
• Submitted sample:
• File MD5: 0x8CC9E5D4C392C48A6127F15BEEE276C5
• File SHA-1: 0xC5E644C35EA90D187D5AAA206AF1D277F27A16E0
• Filesize: 118,784 bytes
• Alias:
• W32.Spybot.Worm [Symantec]
• Backdoor.Win32.Rbot.wfr [Kaspersky Lab]
• W32/Sdbot.worm [McAfee]
• Mal/Generic-A [Sophos]
• Virus.Win32.IRCBot [Ikarus]
• Win32/IRCBot.worm.variant [AhnLab]

• Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Capability to perform DoS attacks against other computers.
Replication across networks by exploiting weakly restricted shares (common for Randex family of worms).
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\lcaqmsp.exe [file and pathname of the sample #1] %System%\sboenta.exe	118,784 bytes	MD5: 0x8CC9E5D4C392C48A6127F15BEEE276C5 SHA-1: 0xC5E644C35EA90D187D5AAA206AF1D277F27A16E0	W32.Spybot.Worm [Symantec] Backdoor.Win32.Rbot.wfr [Kaspersky Lab] W32/Sdbot.worm [McAfee] Mal/Generic-A [Sophos] Virus.Win32.IRCBot [Ikarus] Win32/IRCBot.worm.variant [AhnLab]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
sboenta.exe	%System%\sboenta.exe	1,139,873 bytes
lcaqmsp.exe	%System%\lcaqmsp.exe	1,139,873 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,139,873 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Windows Service Agent = "lcaqmsp.exe"

so that lcaqmsp.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• Windows Service Agent = "lcaqmsp.exe"

so that lcaqmsp.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Windows Service Agent = "lcaqmsp.exe"

so that lcaqmsp.exe runs every time Windows starts

Other details

• To mark the presence in the system, the following Mutex object was created:
• 400331

• The following port was open in the system:

• The following Host Name was requested from a host database:
• x.w4shere.info

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

Heuristics Analysis

• Heuristically identified capability of spreading across the following weakly restricted network shares:

• The network replication uses a dictionary attack by probing credentials from the following list: