Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:WORM/IrcBot.56832.4
Date discovered:15/11/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:56.832 Bytes
MD5 checksum:400ab8f23844227443cc309c472844dd
VDF version:7.10.06.91
IVDF version:7.10.13.241 - Monday, November 15, 2010

 General Method of propagation:
    Messenger


Aliases:
   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Backdoor.Win32.IRCBot.rbe
   •  TrendMicro: WORM_SLENFBOT.DA
   •  F-Secure: Backdoor.Bot.131406
   •  Sophos: Mal/PushBot-A
   •  Bitdefender: Backdoor.Bot.131406


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\nvsvc32.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"



The following registry keys are added:

[HKCU\Software\Microsoft\Internet Explorer\Main]
   • "Start Page"="http://googleure.com"

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed file%"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed file%"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"



The following registry key is changed:

[HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   Old value:
   • "Start"=dword:00000002
   New value:
   • "Start"=dword:00000004

 Messenger It is spreading via Messenger. The characteristics are described below:

 Yahoo Messenger


Message
The sent message looks like one of the following:

   • You have only 3 minutes to fill out the selected survey
or you will not have access to your account.
     You have only 3 minutes to fill out the selected survey
or you will be banned from this site.
     

 IRC  Furthermore it has the ability to perform actions such as:
    • Join IRC channel
    • Leave IRC channel

 Stealing  A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • myspace.com
   • facebook.com

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • albertoshistory.info; ale.pakibili.com; astro.ic.ac.uk;
      ate.lacoctelera.net; beta.neogen.ro; browseusers.myspace.com;
      crl.microsoft.com; deirdremccloskey.org; ds.phoenix-cc.net;
      epp.gunmablog.jp; erdbeerlounge.de; goodreads.com; heidegger.x-y.net;
      hrm.uh.edu; insidehighered.com; jb.asm.org; journalofaccountancy.com;
      journals.lww.com; mas.0730ip.com; mas.ahlamontada.com;
      mas.archivum.info; mas.josbank.com; mas.juegosbakugan.net;
      mas.mtime.com; mas.tguia.cl; mas.univie.ac.at; mcsp.lvengine.com;
      middleastpost.org; mix.price-erotske.in.rs; mix.thenaturistclub.com;
      mmm.bolbalatrust.org; old.longjuyt2tugas.com; old.youku.com;
      ols.systemofadown.com; ope.oaklandathletics.com; opl.munin.irf.se;
      pra.aps.org; pru.landmines.org; qun.51.com; refugee-action.org.uk;
      screenservice.com; scribbidyscrubs.com; shopstyle.com;
      southampton.ac.uk; stayontime.info; summer-uni-sw.eesp.ch;
      transnationale.org; tripadvisor.com; uks.linkedin.com; unclefed.com;
      versatek.com; websitetrafficspy.com; www.myspace.com;
      www.shearman.com; x.myspacecdn.com; xxx.jagdcom.de; xxx.stopklatka.pl

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description insérée par Andrei Ilie le mercredi 23 mars 2011
Description mise à jour par Andrei Ilie le vendredi 1 avril 2011

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.