Win32/AutoRun.IRCBot [Threat Name] go to Threat
Win32/AutoRun.IRCBot.AK [Threat Variant Name]
| Category | worm |
| Size | 56971 B |
| Aliases | Trojan.Win32.Buzus.auvf (Kaspersky) |
| Trojan.Dropper (Symantec) | |
| Generic.dx (McAfee) |
Short description
Win32/AutoRun.IRCBot.AK is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the worm copies itself into the following location:
- %windir%\system\netmon.exe (56971 B)
The worm creates the following file:
- %system%\drivers\sysdrv32.sys
Installs the following system drivers:
- %system%\drivers\sysdrv32.sys
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "netmon" = "%windir%\system\netmon.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\netmon]
- "(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netmon]
- "(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32]
- "Type" = 1
- "Start" = 3
- "ErrorControl" = 1
- "ImagePath" = "\??\%system%\drivers\sysdrv32.sys"
- "DisplayName" = "Play Port I/O Driver"
- "Group" = "SST wanport drivers"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32\Enum]
- "0" = "Root\LEGACY_SYSDRV32\0000"
- "Count" = 1
- "NextInstance" = 1
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
- strongkey-rc1.3-build-208.exe (56971 B)
The following file is dropped in the same folder:
- autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm acquires data and commands from a remote computer or the Internet.
It communicates with the following server using IRC protocol:
- sithwarlord.com
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- monitor network traffic
The worm quits immediately if the user name is one of the following:
- CurrentUser
- sandbox
- vmware
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%windir%\system\netmon.exe" = "%windir%\system\netmon.exe:*:Enabled:netmon"
The performed data entry creates an exception in the Windows Firewall program.