Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:05/05/2008
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:19.968 Bytes
MD5 checksum:175528310Da902dbbe27f005815a2b79
VDF version:
IVDF version:

 General Method of propagation:
   • Messenger

   •  Mcafee: W32/IRCbot.gen.a
   •  Kaspersky: Backdoor.Win32.IRCBot.cud
   •  F-Secure: Backdoor.Win32.IRCBot.cud
   •  Grisoft: BackDoor.Ircbot.EDV
   •  Eset: Win32/IRCBot
   •  Bitdefender: Backdoor.IRCBot.ABYQ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\initserv.exe

It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • Microsoft Initialization Services="initserv.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

All entries in the contact list.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: nagasaki.japancorporation.**********
Port: 9103
Server password: su1c1d3
Channel: #net
Nickname: \00\USA\%10 digit random character string%
Password: n3t!

– This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Download file
    • Edit registry
    • Execute file
    • Leave IRC channel
    • Start spreading routine
    • Visit a website

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:

The modified host file will look like this:

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own process

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Thursday, August 7, 2008
Description updated by Andrei Gherman on Wednesday, August 20, 2008

Back . . . .