Virus:Worm/Spybot.147456.1
Date discovered:27/06/2007
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:147.456 Bytes
MD5 checksum:21bea12aef362da05a4dff4808490b63
IVDF version:6.39.00.67 - Wednesday, June 27, 2007

 General Aliases:
   •  Mcafee: W32/IRCbot.gen
   •  Panda: W32/IRCBot.CRG.worm
   •  Eset: Win32/AutoRun.IRCBot.DE
   •  Bitdefender: Backdoor.IrcBot.ACVH


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winulty.exe



It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Upgrate Utility"="%SYSDIR%\winulty.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: srv1.me**********.ru
Port: 1863
Channel: #new1#
Nickname: N|USA|0|XP|%number%

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • winlogon.exe


 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Petre Galan on Thursday, February 18, 2010
Description updated by Petre Galan on Thursday, February 18, 2010

Back . . . .