Remote Host Port Number
190.3.183.13 43000
208.78.70.70 80
72.233.89.197 80
NICK {00-USA-XP-COMP-7111}
NICK {iNF-00-USA-XP-COMP-9111}
USER Wendy * 0 :COMP
JOIN #SVR# ERROR
PASS scary
* The following ports were open in the system:
Port Protocol Process
1052 TCP lcacc.exe (%System%lcacc.exe)
1053 TCP lcacc.exe (%System%lcacc.exe)
1054 TCP lcacc.exe (%System%lcacc.exe)
26717 TCP lcacc.exe (%System%lcacc.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Info Serivce = “lcacc.exe”
so that lcacc.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lcacc.exe %System%lcacc.exe 376 832 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %System%lcacc.exe
[file and pathname of the sample #1] 74 240 bytes MD5: 0x4CE8C69E511C3920EB01D9FD0982297B
SHA-1: 0x1C8E8EC965BC598DD03EA3AE40FFEA7EE1387A4A Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
W32/Sdbot.worm.gen.g [McAfee]
Mal/SillyFDC-A, Mal/IRCBot-B [Sophos]
Backdoor:Win32/IRCbot.gen!K [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
2 %System%nigzss.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)