W32/IRCBot-N

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ctfmon HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Ctfmon

and delete them if they exist.

Close the registry editor.

W32/IRCBot-N is a worm with a backdoor component that spreads via weakly protected network shares and the IRC network.

In order to run automatically when Windows boots up W32/IRCBot-N copies itself to the Windows system folder as the file ctfmon.exe and creates the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ctfmon HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Ctfmon

pointing to this file. The worm also copies itself to the file C:\you.exe.

W32/IRCBot-N attempts to connect to other computers using the NetBIOS protocol by trying several common username/password combinations. When a connection succeeds the worm copies itself to the remote computer. In order to spread via the IRC network W32/IRCBot-N modifies the initialization scripts of an installed mIRC client so that the worm is sent automatically to all users joining an IRC channel.

W32/IRCBot-N contains an IRC backdoor component that allows a malicious user to control an infected system. The backdoor establishes a connection to a remote IRC server which then serves as the control channel for the attacker.