W32/Ixbot-A

Please follow the instructions for removing worms.

W32/Ixbot-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Ixbot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Ixbot-A spreads using AOL Instant Messenger. W32/Ixbot-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Ixbot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Ixbot-A spreads using AOL Instant Messenger and opens a backdoor on TCP port 5190.

When first run W32/Ixbot-A copies itself to the Windows System folder as a randomly generated filename.

The following registry entry is created to run W32/Ixbot-A on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Socketheader
<path to worm executable>

Registry changes may also be made under:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

W32/Ixbot-A also attempts to remove the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAVPersonal50

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp