Virus:Worm/IrcBot.19968.20
Date discovered:05/05/2008
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:19.968 Bytes
MD5 checksum:175528310Da902dbbe27f005815a2b79
VDF version:7.0.04.015
IVDF version:7.0.04.016

 General Method of propagation:
   • Messenger


Aliases:
   •  Mcafee: W32/IRCbot.gen.a
   •  Kaspersky: Backdoor.Win32.IRCBot.cud
   •  F-Secure: Backdoor.Win32.IRCBot.cud
   •  Grisoft: BackDoor.Ircbot.EDV
   •  Eset: Win32/IRCBot
   •  Bitdefender: Backdoor.IRCBot.ABYQ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\initserv.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • Microsoft Initialization Services="initserv.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger


To:
All entries in the contact list.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: nagasaki.japancorporation.**********
Port: 9103
Server password: su1c1d3
Channel: #net
Nickname: \00\USA\%10 digit random character string%
Password: n3t!



– This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Download file
    • Edit registry
    • Execute file
    • Leave IRC channel
    • Start spreading routine
    • Visit a website

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • jayloden.com; www.jayloden.com; www.spywareinfo.com; spywareinfo.com;
      www.spybot.info; spybot.info; kaspersky.com; kaspersky-labs.com;
      www.kaspersky.com; www.majorgeeks.com; majorgeeks.com;
      securityresponse.symantec.com; symantec.com; www.symantec.com;
      updates.symantec.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
      www.sophos.com; sophos.com; www.virustotal.com; virustotal.com;
      www.mcafee.com; mcafee.com; rads.mcafee.com; mast.mcafee.com;
      download.mcafee.com; dispatch.mcafee.com; us.mcafee.com;
      www.trendsecure.com; trendsecure.com; www.viruslist.com;
      viruslist.com; www.hijackthis.de; hijackthis.de; f-secure.com;
      www.f-secure.com; Merijn.org; www.Merijn.org; www.avp.com; avp.com;
      analysis.seclab.tuwien.ac.at; www.bleepingcomputer.com;
      bleepingcomputer.com; trendmicro.com; www.trendmicro.com;
      www.safer-networking.org; safer-networking.org; grisoft.com;
      www.grisoft.com




The modified host file will look like this:


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own process

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Thursday, August 7, 2008
Description updated by Andrei Gherman on Wednesday, August 20, 2008

Back . . . .