Virus:TR/IRC.Ryknos.A
Date discovered:10/11/2005
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:10.240 Bytes
MD5 checksum:ebe94809b68675feddfe2a2fa889f243
VDF version:6.32.00.168

 General Method of propagation:
   • No own spreading routine
   •  Mcafee: W32/Brepibot
   •  Kaspersky: Backdoor.Win32.Breplibot.b
   •  Sophos: Troj/Stinx-E


Platforms / OS:
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\$sys$drv.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is added:

– [HKCU\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj]
   • "$sys$drv"="$sys$drv.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: 24.**********.45
Port: 8080
Channel: #sony
Nickname: [%several random digits%-%operating system%]%random character string%

Server: 35.**********.93
Port: 8080
Channel: #sony
Nickname: [%several random digits%-%operating system%]%random character string%

Server: 67.**********.190
Port: 8080
Channel: #sony
Nickname: [%several random digits%-%operating system%]%random character string%

Server: 68.**********.76
Port: 8080
Channel: #sony
Nickname: [%several random digits%-%operating system%]%random character string%

Server: 152.**********.186
Port: 8080
Channel: #sony
Nickname: [%several random digits%-%operating system%]%random character string%


– Furthermore it has the ability to perform the following action:
    • Download file

 Miscellaneous Mutex:
It creates the following Mutex:
   • $sys$drv.exe

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own file


Method used:
    • Uses rootkit that gets activated when installing Software from Sony audio CDs

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ivanes on Thursday, November 10, 2005
Description updated by Andrei Ivanes on Monday, November 14, 2005

Back . . . .