Virus:Worm/IRCBo.147456.3
Date discovered:14/04/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:147.456 Bytes
MD5 checksum:125d08036cac94a0965dadb1bd24a19d
IVDF version:7.01.03.50 - Tuesday, April 14, 2009

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: W32/IRCbot.gen.a
   •  Sophos: Troj/VBInj-Gen
   •  Panda: Bck/Poison.F
   •  Eset: Win32/IRCBot.AGP
   •  Bitdefender: Trojan.Inject.VB.M


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\fxstaller.exe



It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows UDP Control Center"="fxstaller.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– MSN Messenger

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: wear.th3**********.net
Port: 4244
Server password: letmein
Channel: #!tt!#
Nickname: [00|USA|%number%]
Password: mama



– This malware has the ability to collect and send information such as:
    • Malware uptime
    • Users' local activity


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Updates itself

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, November 25, 2009
Description updated by Petre Galan on Wednesday, November 25, 2009

Back . . . .