W32/IRCBot-XV

Please follow the instructions for removing worms.

W32/IRCBot-XV is a worm with backdoor functionality for the Windows platform.

W32/IRCBot-XV spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares and MSSQL servers protected by weak passwords.

W32/IRCBot-XV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/IRCBot-XV includes functionality to:

- check to see if the bot is running under VPC, VMWare or Anubis
- set up an FTP server
- set up a proxy server
- spread via MSN Instant Messager by sending messages automatically
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard

When first run W32/IRCBot-XV copies itself to <System>\csrss.exe

W32/IRCBot-XV can be ordered to spread via MSN with one of the following messages:

Hey man accept my pics. :( i just edited it to look maad funny..Dude i found your picture on hotornot.com! Take a look!
do I look dumb in this picture? I want to put it on myspace.
hey you got a myspace album? anyways heres my new myspace album :) accept k?
ok, I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
Have you seen me Naked Yet :D
OMG, i found ur pic on cuteornot.com! Check it out!!!
Hey just finished new myspace album! :) theres a few kinky ones in there!
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey accept my pictures, i got a bunch from when i was like a toddler :X
OMG just accept please its only some pics!!
do you think this picture is too kinky for Myspace?
Wanna see my pics before i send em to facebook?
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Can you believe somone actually wears this size bra? I could use it for a Tent.
I've been editing some pics you should def see em loL! accept :)
Lmfao hey im sending my new pictures! Check em out!
I can't believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Take a look at the new pics already! :p
wanna see this pic of my Boobs?Can i put this pic of you into my new myspace album?
wow! look at this old picture i found....
my crazy sister wants u to see these pics for some reason... take a look
wow I just dyed my hair... You will never believe the color it is now. lol And dont laugh
is this pic tooo sexy for photobucket??
sry about the messup i fixed the pic! Try it one more time pz
you care if i put this pictuer of you in my new album?
can i up some of these pics of ya to my myspace profile?
hey did i ever show you this picture of me?
haha lets hope your parents dont see this picture of you :D
Wow i think i found your pic on myspace!
This picture isnt you... right?

The attachment will be the file My_Pictures2007.zip. This file is also detected as W32/IRCBot-XV

The following registry entry is created to run csrss.exe on startup:

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Runtime Server Subsystem
<System>\csrss.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
MeltCc32
<pathname of the worm executable>