Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.JD [Threat Variant Name]

Category worm
Size 487424 B
Detection created Oct 01, 2013
Detection database version 9018
Aliases Trojan.Win32.IRCbot.aoe (Kaspersky)
  Worm:Win32/Phorpiex.B (Microsoft)
  RDN/Sdbot.worm!bq.virus (McAfee)
  Backdoor.IRCBot.ADLT (BitDefender)
Short description

Win32/AutoRun.IRCBot.JD is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­M-480280608804286024044\­winsvc.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows Manager" = "%userprofile%\­M-480280608804286024044\­winsvc.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%userprofile%\­M-480280608804286024044\­winsvc.exe" = "%userprofile%\­M-480280608804286024044\­winsvc.exe:*:Enabled:Microsoft Windows Manager"

The performed data entry creates an exception in the Windows Firewall program.

Spreading on removable media

The worm searches for files and folders in the root folders of removable drives.


The worm then deletes the found files.


The worm creates the following folders:

  • %removabledrive%\­DATA\­

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

Spam distribution

The worm can be used for sending spam.


Subject of the message may be one of the following:

  • hahaha
  • ;)
  • :D
  • :P
  • :)
  • ;D

Body of the message may be one of the following:

  • Is this you??
  • Picture of you??
  • Tell me what you think of this picture
  • This is the funniest picture ever!
  • Someone showed me your picture
  • I love your picture!
  • You look so beautiful on this picture
  • You should take a look at this picture
  • Take a look at my new picture please
  • What you think of this picture?
  • Should I upload this picture on facebook?
  • Someone told me it's your picture
  • I found this picture of you
  • Your picture is all over the web now
  • Could you explain please?
  • I just can't belive this
  • Shame on you
  • You look terrible on this photo
  • Your wife won't be happy about that
  • Your friends won't be happy about that
  • Photo of you naked??
  • Please tell me this is your photo
  • Check out my photo but keep it private
  • My private photo for you
  • My private photo
  • My private picture
  • To show how much I love you
  • I love you so much please check my photo
  • My private picture only for you
  • Hey check out this picture
  • Do you think she is hot?
  • How do you think she looks?
  • Do you think I'm attractive?
  • Please rate my picture
  • Do you think I'm 'pretty or ugly?
  • Your opinion needed
  • Private
  • Keep it secret
  • Keep it private

The attachment is a file that the worm downloads from Internet.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (2) addresses. The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • send spam

Please enable Javascript to ensure correct displaying of this content and refresh this page.