W32/IRCBot-ADD

Category: Viruses and Spyware Protection available since:25 Nov 2008 18:09:37 (GMT)
Type: Win32 worm Last Updated:25 Nov 2008 18:09:37 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/IRCBot-ADD is a worm for the Windows platform.

W32/IRCBot-ADD speads by copying itself to network shares and removable drives.

W32/IRCBot-ADD copies itself to the following location on removable drives:

\RECYCLER\<user folder>\recycle.exe

All files and folders in the above path have the system, hidden and read-only attributes set. W32/IRCBot-ADD creates an autorun.inf file in the root folder of the drive (also with the system, hidden and read-only attributes set) in an attempt to run recycle.exe when the drive is loaded.

When W32/IRCBot-ADD is installed the following files are created:

  <System>\spoolvs.exe
<System>\<random1>.dll
<System>\wauclt.exe
<System>\<random2>.dll
<Windows>\Tasks\<random3>.job
<Temp>\<random4>.bat
<User>\Cookies\user@wmvmedialease[?].txt

where <random1>, <random2>, <random3> and <random4> are randomly generated strings.

The following registry entries are created to run spoolvs.exe and wauclt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Service Agent
spoolvs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Agent
spoolvs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host
wauclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Agent
spoolvs.exe

The file <random1>.dll is registered as a COM object and shell extension, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{8369650D-536C-4B75-BA0B-8286E86EDA0A}

The following registry entries are created to run code exported by <random1>.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random1>
DllName
<random1>.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random1>
Impersonate
0

A scheduled task named <random3> is created to run "rundll32 <random2>.dll" command-line daily at midnight:

<System>\rundll32.exe % "<System>\<random2>.dll", d

The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
{A8A88C49-5EB2-4990-A1A2-0876022C854F}
<BINARY>

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
{AEBA21FA-782A-4A90-978D-B72164C80120}
<BINARY>

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1A10
0

W32/IRCBot-ADD displays a message box with the text:
 
   Windows Microsoft Viewer

   Picture can not be displayed.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy