W32/IrcWorm-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	May 2007 (4.17)
Protection available since	27 March 2007 09:30:57 (GMT)
Detected by	All Sophos products

W32/IrcWorm-A is an IRC worm for the Windows platform.

When W32/IrcWorm-A is installed the following files are created:

<Windows>\photo album.zip
<System>\rdfhost.dll

The worm will then attempt to connect to an IRC channel and begin sending messages enticing other users to accept the file transfer of zip file.

The following registry entry is created to run code exported by {5344BB88-3DE1-409F-8307-C85923A1F4DD} on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
rdshost
{5344BB88-3DE1-409F-8307-C85923A1F4DD}

The file rdfhost.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{5344BB88-3DE1-409F-8307-C85923A1F4DD}

Get reports about the latest virus and spyware threats delivered to your computer