high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 2 December 2005 09:13:37 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/IRCBot-IV is a worm and IRC backdoor Trojan for the Windows platform.
W32/IRCBot-IV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/IRCBot-IV spreads to other network computers protected by weak passwords.
When first run W32/IRCBot-IV copies itself to C:\svhost.exe.
The following registry entry is created to run svhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Svchost Windows Remote Services
C:\svhost.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Command-Control\
W32/IRCBot-IV includes functionality to terminate and disable system, security and anti-virus processes including:
TASKMGR.EXE
COMMAND.EXE
COMMAND.COM
regedit.exe
AVGUARD.EXE
ANTIVIR.EXE
ANTIVIRUS.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
NAVAPW32.EXE
NAVW32.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
ANTS.EXE
Anti-Trojan.exe
iamapp.exe
iamserv.exe
FRW.EXE
blackice.exe
blackd.exe
zonealarm.exe
vsmon.exe
WrCtrl.exe
WrAdmin.exe
cleaner3.exe
cleaner.exe
tca.exe
MooLive.exe
lockdown2000.exe
Sphinx.exe
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
|
