W32/IRCBot-WB is an IRC and MSN backdoor worm for the Windows platform.
W32/IRCBot-WB spreads by sending a zipped copy of itself to other MSN users pretending to be a photo album.
W32/IRCBot-WB runs continuously in the background, accepting commands from a remote user.
When W32/IRCBot-WB is first run the following files are created:
<Windows>\photos.zip - zip file containing W32/IRCBot-WB
<System>\syshosts.dll - also detected as W32/IRCBot-WB
The following registry entry is created to run code exported by {AA61EB82-F4F2-44FF-BA49-68FDA4E60735} on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
syshosts
{AA61EB82-F4F2-44FF-BA49-68FDA4E60735}
The file syshosts.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\{AA61EB82-F4F2-44FF-BA49-68FDA4E60735