W32/IRCBot-VR is an IM worm for the Windows platform.
W32/IRCBot-VR attempts to spread via MSN, and may send the following itself as "photo album.zip" to open chat windows with one or more of the following messages:
"Lmfao hey im sending my new photo album, Some bare funny pictures!"
"lol my sister wants me to send you this photo album"
"Hey i been doing photo album! Should see em loL! accept please mate :)"
"HEY lol i've done a new photo album !:) Second ill find file and send you it."
"Hey wanna see my new photo album?"
"looooooooooooooooooooooooooooooooooooooo!! :p"
"OMG just accept please its only my photo album!!"
"Hey accept my photo album, Nice new pics of me and my friend's and stuff and when i was young lol..."
"Hey just finished new photo album! :) might be a few nudes ;) lol..."
"hey you got a photo album? anyways heres my new photo album :) accept k?"
"hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol.."
W32/IRCBot-VR has functionality to:
- connect to IRC
- setup a backdoor for remote access
- download remote code
- steal passwords
When W32/IRCBot-VR is installed the following files are created:
<Windows>\photo album.zip
<System>\rdihost.dll
The following registry entry is created to run code exported by {3D38667C-CF08-4060-BAD3-30797B8FE363} on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
rdihost
{3D38667C-CF08-4060-BAD3-30797B8FE363}
The file rdihost.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\{3D38667C-CF08-4060-BAD3-30797B8FE363}