Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:22/04/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:995.328 Bytes
MD5 checksum:3911f7a8d09c467dbf3a05f73f0b8c7d
IVDF version: - Wednesday, April 22, 2009

 General Aliases:
   •  Mcafee: Generic Rootkit.g trojan
   •  Sophos: W32/Ircbot-AER
   •  Panda: W32/IRCBot.CKA.worm
   •  Eset: Win32/IRCBot
   •  Bitdefender: IRC-Worm.Generic.3237

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\svhost.exe

The following file is created:

%SYSDIR%\drivers\sysdrv32.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Hacktool.Tcpz.A

 Registry The following registry key is added in order to run the process after reboot:

   • "Description"=" intrusion detection."
   • "DisplayName"="Network Monitor service"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\svhost.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110

The following registry keys are added in order to load the service after reboot:

   • "DisplayName"="Play Port I/O Driver"
   • "ErrorControl"=dword:0x00000001
   • "Group"="SST miniport drivers"
   • "ImagePath"="\??\%SYSDIR%\drivers\sysdrv32.sys"
   • "Start"=dword:0x00000003
   • "Type"=dword:0x00000001

The following registry keys are added:

   • "@"="Service"

   • "@"="Service"

 Network Infection Exploit:
It makes use of the following Exploits:
– MS03-007 (Unchecked Buffer in Windows Component)
 MS04-045 (Vulnerability in WINS)
MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 7.j3h**********.net
Port: 57
Server password: h4xg4ng
Channel: #cunt
Nickname: [00-USA-XP-%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Beschrijving ingevoegd door Petre Galan op maandag 30 november 2009
Beschrijving bijgewerkt door Petre Galan op maandag 30 november 2009

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.