W32/IRCBot-ABE

Please follow the instructions for removing worms.

W32/IRCBot-ABE is a network worm with backdoor functionailty for the Windows platform.

W32/IRCBot-ABE spreads via network shares and MSSQL servers protected by weak passwords. The worm can also be spread via chat programs.

W32/IRCBot-ABE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/IRCBot-ABE includes the functionality to:

- set up an FTP server
- set up a proxy server
- spread via MSN Messager and Yahoo Messenger by sending messages automatically
- steal passwords
- set or remove network shares
- log keypresses
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/IRCBot-ABE copies itself to <System>\dllcache\Dirhost.com.

The file Dirhost.com is registered as a new system driver service named "Microsoft Dir32", with a display name of "Microsoft Dir32" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Dir32

Registry entries are created under:

HKCR\.key