Virus:Worm/IrcBot.51200
Date discovered:05/12/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:51.200 Bytes
MD5 checksum:d3f3dc33be2031c0dcb5d0e5909bb557
IVDF version:6.32.01.08 - Monday, December 5, 2005

 General Method of propagation:
   • Autorun feature
   • Messenger


Aliases:
   •  Panda: W32/IRCBot.CLD.worm
   •  Eset: Win32/AutoRun.Agent.LB
   •  Bitdefender: Backdoor.Bot.87376


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %HOME%\Application Data\ShieldManager.exe
   • %drive%\.Autorun\835694854683549385398626893468946\Autorun.exe



It deletes the initially executed copy of itself.



The following files are created:

%drive%\.Autorun\835694854683549385398626893468946\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%executed file%"="%executed file%:*:Enabled:Microsoft
      Shield Manager"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   New value:
   • "Microsoft Shield Manager"="%HOME%\Application Data\ShieldManager.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   New value:
   • "Microsoft Shield Manager"="%HOME%\Application Data\ShieldManager.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger


Message
The sent message looks like the following:

   • meinst du das ernst?
     ich hoffe es gef?llt dir
     das ist geil
     bist du das?
     du bist echt sexy
     haha das ist sooo lustig
     kennst du das?
     est
     s en serio??? :S:S
     no sab
     a que te metias cosas asi :S
     esto es horrible :S
     alguien dijo que eras tu
     eres tu de verdad?
     tu eres realmente sexi ;)
     jajaja esto es muy divertido
     encontr
      esto... te resulta familiar?
     check this one
     hehe!
     i find this one really funny :)
     is this really you???
     did you take this picture?
     who is this?
      voc
      s
     rio??? :S:S
     eu n
     o soube que voc
      apreciou o material como este:S
     isto
      horr
     vel:S
     algu
     m disse que este era voc
      isto realmente voc
     voc
      realmente sexy ;)
     o hahaha isto
      t
     o engra
     ado
     eu encontrei que isto olha familiar??
     t'es serieu la?
     je savais pas que t'aimait ce genre de truc
     c'est horrible ahah
     qqn m'a dit que c'
     tait toi
     c'est vraiment toi ou!?
     lol vraiment pas mal
     hehe detta
     r roligt
     kolla det h
     haha roligt :D
     hehe gjorde du detta?
     jag visste inte att du gillade s
     nt h
     r :S
     r detta du?
     bent u ernstig??? :S:S
     ik wist niet u van materiaal als dit genoot :S
     dit is afschuwelijk :S
     iemand zei dit u was
     dit is werkelijk u?
     u bent werkelijk sexy ;)
     hahaha dit is zo grappig
     ik vond dit het? vertrouwd kijkt?
     :D
     ;)
     :D ACCEPT!
     ;)(L)
     :P
     lol
     hm?
     pic?

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: irc.yo**********.co.uk
Port: 3328
Channel: #th3msn
Nickname: [USA|00|XP||%number%]

 Miscellaneous String:
Furthermore it contains the following strings:
   • %s Sent text to: %d contacts.
   • %s Sent file to %d contacts.
   • %s Sent text to %d contacts.
   • %s Sent file to %d contacts.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 5, 2010
Description updated by Petre Galan on Friday, March 5, 2010

Back . . . .