Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/IrcBot.44544.5
Date discovered:30/05/2008
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:44.544 Bytes
MD5 checksum:98cbfddef43a59d9add79dfc91246b99
IVDF version:7.00.04.116 - Friday, May 30, 2008

 General Method of propagation:
    Autorun feature
   • Local network
    Messenger


Aliases:
   •  Panda: Bck/IRCBot.CUN
   •  Eset: Win32/AutoRun.IRCBot.CX
   •  Bitdefender: Trojan.Generic.3124848


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %drive%\RECYCLER\S-51-9-25-3434476501-1644491938-601013333-1214\sysmngr32.exe
   • %WINDIR%\windows7install.exe



It deletes the initially executed copy of itself.



The following files are created:

%WINDIR%\log32.txt
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\RECYCLER\S-51-9-25-3434476501-1644491938-601013333-1214\Desktop.ini



It tries to download some files:

The location is the following:
   • http://www.pr0.net/deny2/**********


The location is the following:
   • http://metagen.ath.cx/**********


The locations are the following:
   • http://www.sevy.eu.org/**********
   • http://www.proxysecurity.com/**********
   • http://www.proxy-heaven.com/**********
   • http://www.cooleasy.com/**********
   • http://proxywoorld.ovh.org/**********
   • http://proxyworld.ifrance.com/**********


The location is the following:
   • http://www.belgarion.com/images/**********




It tries to executes the following file:

Filename:
   • "%WINDIR%\windows7install.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "Microsoft Driver Setup"="%WINDIR%\windows7install.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Driver Setup"="%WINDIR%\windows7install.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

 MSN Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: login.ipwhois.or**********.uk
Port: 47221
Channel: #nbot-poly
Nickname: [00_USA_XP_%number%]

Server: login.ipwhois.**********.uk

Server: login.ins**********.com

Server: myip.wor**********.net

Server: ip.wor**********.com

 Process termination List of processes that are terminated:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; CCSETUP210.EXE; FSMB32.EXE;
      FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE; FSAV530STBYB.EXE;
      FSAV32.EXE; FSAV.EXE; FSAA.EXE; FPROT.EXE; FP-WIN.EXE; FNRB32.EXE;
      FIH32.EXE; FCH32.EXE; FAST.EXE; FAMEH32.EXE; F-STOPW.EXE;
      F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE; SPIDERUI.EXE; SPIDERNT.EXE;
      ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE; BOXMOD.EXE; 360SAFE.EXE;
      360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE; NSVMON.NPC; NSAVSVC.NPC;
      NPCGREENAGENT.NPC; PUSCAN.EXE; AYSERVICENT.AYE; AYAGENT.AYE;
      CMDAGENT.EXE; CPF.EXE; VSMON.EXE; ZLCLIENT.EXE; NSUTILITY.EXE;
      NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE; NSPUPSVC.EXE; NSPSVC.EXE;
      MKSADMINCONSOLE.EXE; MKSUPDATE.EXE; MKSPC.EXE; MKSFWALL.EXE;
      MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE; MKSREGMON.EXE;
      KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE; KISSVC.EXE;
      KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE; KVOL.EXE; KVXP.KXP;
      KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE; ARCABIT.CORE.LOGGINGSERVICE.EXE;
      ARCABIT.CORE.CONFIGURATOR2.EXE; TASKSCHEDULER.EXE; UPDATE.EXE;
      NETMONSV.EXE; FILEMONSV.EXE; ABREGMON.EXE.EXE; ARCACHECK.EXE;
      ARCAVIR.EXE; AVMENU.EXE; A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE;
      A2SCAN.EXE; A2GUARD.EXE; VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE;
      HPCSVC.EXE; HSVCMOD.EXE; VRMONNT.EXE; MKSTRAY.EXE; VBA32ADS.EXE;
      VBA32LDR.EXE; FILELOCKSETUP.EXE; TSCFCOMMANDER.EXE; TMPROXY.EXE;
      TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE; UFSEAGNT.EXE; TISSPWIZ.EXE;
      SFCTLCOM.EXE; TNBUTIL.EXE; DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE;
      SBAMUI.EXE; SBAMTRAY.EXE; SAVADMINSERVICE.EXE; SAVSERVICE.EXE;
      SCFSERVICE.EXE; SCFMANAGER.EXE; RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE;
      RAVLITE.EXE; PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE;
      PCTSAUXS.EXE; PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE; AVGAS.EXE;
      PAVBCKPT.EXE; WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE; PSIMSVC.EXE;
      PSHOST.EXE; AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE; PAVFNSVR.EXE;
      PSCTRLS.EXE; TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE; NOD32.EXE;
      NMAIN.EXE; NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE; MCUPDATE.EXE;
      MCSHIELD.EXE; MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE; KAVSVC.EXE;
      KAV.EXE; K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE; K7PSSRVC.EXE;
      K7FWSRVC.EXE; K7EMLPXY.EXE; K7TSECURITY.EXE; K7SYSTRY.EXE;
      VIRUSUTILITIES.EXE; GUARDXSERVICE.EXE; GUARDXKICKOFF.EXE; AVKWCTL.EXE;
      AVKTUNERSERVICE.EXE; AVKSERVICE.EXE; GDFWSVC.EXE; AVKPROXY.EXE;
      GDFIRE~1.EXE; AVKTRAY.EXE; GDFIREWALLTRAY.EXE; FSAUA.EXE;
      NOD32KRN.EXE; FSMA32.EXE; FSDFWD.EXE; FSGK32ST.EXE; FSM32.EXE;
      FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE; INICIO.EXE; UMXPOL.EXE;
      UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE; PPCLTPRIV.EXE; SVCPRS32.EXE;
      ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE; CAGLOBALLIGHT.EXE;
      CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE; CFGMNG32.EXE; CCTRAY.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE; ALMON.EXE; DRWEBSCD.EXE;
      SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE; STRTSVC.EXE; OP_MON.EXE;
      SENSOR.EXE; QHFW332.EXE; CATEYE.EXE; ONLNSVC.EXE; EMLPROUI.EXE;
      UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE; EMLPROXY.EXE; ONLINENT.EXE;
      ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE; LIVESRV.EXE; XCOMMSVR.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, April 9, 2010
Description updated by Petre Galan on Monday, April 12, 2010

Back . . . .