Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:11/12/2007
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:26.624 Bytes
MD5 checksum:7abb7d1dea8635207603bac2acc10813
IVDF version:

 General Aliases:
   •  Mcafee: W32/
   •  Sophos: W32/Autorun-AMP
   •  Panda: W32/IRCBot.CKA.worm
   •  Eset: Win32/IRCBot.ALM
   •  Bitdefender: Backdoor.Generic.185525

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\svhost.exe

It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\WindowsTelephony]
   • "Description"="Windows Telephony"
   • "DisplayName"="Windows Telephony"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,2E,00,73,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\svhost.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
   • "@"="Service"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
   • "@"="Service"

 Network Infection Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Port: 902
Channel: #crk
Nickname: [00-USA-XP-%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, March 4, 2010
Description updated by Petre Galan on Thursday, March 4, 2010

Back . . . .