Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.AU [Threat Variant Name]

Category worm
Size 23552 B
Detection created Jun 19, 2009
Detection database version 4170
Aliases Backdoor.Win32.IRCBot.jgd (Kaspersky)
  W32.IRCBot (Symantec)
  Worm:Win32/Neeris.AV (Microsoft)
Short description

Win32/AutoRun.IRCBot.AU is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­system\­lsass.exe (23552 B)

The worm creates the following file:

  • %system%\­drivers\­sysdrv32.sys (11656 B)

Installs the following system drivers:

  • %system%\­drivers\­sysdrv32.sys

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKLM\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ilasss" = "%windir%\­system\­lsass.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­lsass]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­lsass]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sysdrv32]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 1
    • "ImagePath" = "\­??\­%system%\­drivers\­sysdrv32.sys"
    • "DisplayName" = "Play Port I/O Driver"
    • "Group" = "SST wanport drivers"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sysdrv32\­Enum]
    • "0" = "Root\­LEGACY_SYSDRV32\­0000"
    • "Count" = 1
    • "NextInstance" = 1

The worm deletes the original file.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Key-Installer.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


It communicates with the following server using IRC protocol:

  • 1.sdhjiww.com

The worm can download and execute a file from the Internet.


The worm quits immediately if the user name is one of the following:

  • CurrentUser
  • sandbox
  • vmware

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­system\­lsass.exe" = "%windir%\­system\­lsass.exe:*:Microsoft Enabled"

The performed data entry creates an exception in the Windows Firewall program.


It uses techniques common for rootkits. The worm hides its running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.