Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/IrcBot.39424.10
Date discovered:16/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:50.937 Bytes
MD5 checksum:2863ba796aae0F51f400cbcba8d1cd4b
VDF version:6.39.01.10 - Thursday, August 16, 2007
IVDF version:6.39.01.10 - Thursday, August 16, 2007

 General Method of propagation:
   • Local network


Aliases:
   •  Kaspersky: Backdoor.Win32.IRCBot.acp
   •  Sophos: W32/IRCBot-XK
   •  Bitdefender: Backdoor.Rbot.XBN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\NSecurity.exe

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Network Security"="%SYSDIR%\NSecurity.exe"



The following registry keys are changed:

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   New value:
   • "restrictanonymous"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Ole]
   New value:
   • "EnableDCOM"="N"

 Network Infection Exploit:
It makes use of the following Exploit:
 MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.bihsecurity.com
Port: 2345
Server password: lamshajze123
Channel: #!lam!
Nickname: NT51|%eight-digit random character string%
Password: lamfuck



 This malware has the ability to collect and send information such as:
    • Malware uptime
    • Information about running processes


 Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
     Start spreading routine

 Miscellaneous Mutex:
It creates the following Mutex:
   • rxDecCode.Rizzo_1

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ernest Szocs on Thursday, November 8, 2007
Description updated by Ernest Szocs on Thursday, November 8, 2007

Back . . . .