W32/IRCBot-ADD

Aliases	Backdoor:Win32/Rbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	25 November 2008 20:15:19 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/IRCBot-ADD is a worm for the Windows platform.

W32/IRCBot-ADD speads by copying itself to network shares and removable drives.

W32/IRCBot-ADD copies itself to the following location on removable drives:

\RECYCLER\<user folder>\recycle.exe

All files and folders in the above path have the system, hidden and read-only attributes set. W32/IRCBot-ADD creates an autorun.inf file in the root folder of the drive (also with the system, hidden and read-only attributes set) in an attempt to run recycle.exe when the drive is loaded.

When W32/IRCBot-ADD is installed the following files are created:

  <System>\spoolvs.exe
<System>\<random1>.dll
<System>\wauclt.exe
<System>\<random2>.dll
<Windows>\Tasks\<random3>.job
<Temp>\<random4>.bat
<User>\Cookies\user@wmvmedialease[?].txt

where <random1>, <random2>, <random3> and <random4> are randomly generated strings.

The following registry entries are created to run spoolvs.exe and wauclt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Service Agent
spoolvs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Agent
spoolvs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host
wauclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Agent
spoolvs.exe

The file <random1>.dll is registered as a COM object and shell extension, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{8369650D-536C-4B75-BA0B-8286E86EDA0A}

The following registry entries are created to run code exported by <random1>.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random1>
DllName
<random1>.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random1>
Impersonate
0

A scheduled task named <random3> is created to run "rundll32 <random2>.dll" command-line daily at midnight:

<System>\rundll32.exe % "<System>\<random2>.dll", d

The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
{A8A88C49-5EB2-4990-A1A2-0876022C854F}
<BINARY>

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
{AEBA21FA-782A-4A90-978D-B72164C80120}
<BINARY>

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1A10
0

W32/IRCBot-ADD displays a message box with the text:

   Windows Microsoft Viewer

   Picture can not be displayed.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/IRCBot-ADD

Summary

Action

More Information