Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.BN [Threat Variant Name]

Category worm
Size 89088 B
Aliases Email-Worm.Win32.BSpread.b (Kaspersky)
  W32/Pushbot (McAfee)
  Worm:Win32/Pushbot.OP (Microsoft)
Short description

Win32/AutoRun.IRCBot.BN is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­win7service.exe (89088 B)

This copy of the worm is then executed.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Driver Setup" = "%windir%\­win7service.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "Microsoft Driver Setup" = "%windir%\­win7service.exe"
Spreading

Win32/AutoRun.IRCBot.BN is a worm that spreads via removable media.


The worm creates the following folders:

  • %drive%\­RECYCLER\­S-51-9-25-3434476501-1644491938-601013333-1214\­

The following files are dropped in the same folder:

  • sysmngr32.exe (89088 B)
  • Desktop.ini

The following file is dropped:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm spreads itself by exploiting various vulnerabilities in the operating system of the targeted machines.

Other information

The following services are disabled:

  • Windows Firewall/Internet Connection Sharing (ICS)

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filepath%" = "%filepath%:*:%windir%\­win7service.exe"

The following programs are terminated:

  • 123.EXE
  • 360HOTFIX.EXE
  • 360RPT.EXE
  • 360SAFE.EXE
  • 360TRAY.EXE
  • A2GUARD.EXE
  • A2HIJACKFREE.EXE
  • A2HIJACKFREESETUP.EXE
  • A2SCAN.EXE
  • A2SERVICE.EXE
  • A2START.EXE
  • ABREGMON.EXE.EXE
  • ACAAS.EXE
  • ACAEGMGR.EXE
  • ACAIS.EXE
  • ACALS.EXE
  • ACS.EXE
  • AFMAIN.EXE
  • AHNSDSV.EXE
  • ALERTMAN.EXE
  • ALMON.EXE
  • ALSVC.EXE
  • APM.EXE
  • APORTS.EXE
  • APT.EXE
  • APVXDWIN.EXE
  • ARCABIT.CORE.CONFIGURATOR2.EXE
  • ARCABIT.CORE.LOGGINGSERVICE.EXE
  • ARCACHECK.EXE
  • ARCAVIR.EXE
  • ASHDISP.EXE
  • ASHMAISV.EXE
  • ASHSERV.EXE
  • ASHWEBSV.EXE
  • ASVIEWER.EXE
  • ASWCLNR.EXE
  • ASWUPDSV.EXE
  • ATF-CLEANER.EXE
  • AUTORUNS.EXE
  • AVCENTER.EXE
  • AVENGER.EXE
  • AVENGINE.EXE
  • AVGAMSVR.EXE
  • AVGARKT.EXE
  • AVGAS.EXE
  • AVGEMC.EXE
  • AVGNT.EXE
  • AVGSCANX.EXE
  • AVGUARD.EXE
  • AVGUI.EXE
  • AVGUPD.EXE
  • AVGUPSVC.EXE
  • AVGWDSVC.EXE
  • AVINSTALL.EXE
  • AVIRARKD.EXE
  • AVKPROXY.EXE
  • AVKSERVICE.EXE
  • AVKTRAY.EXE
  • AVKTUNERSERVICE.EXE
  • AVKWCTL.EXE
  • AVMENU.EXE
  • AVZ.EXE
  • AYAGENT.AYE
  • AYSERVICENT.AYE
  • BC5CA6A.EXE
  • BDAGENT.EXE
  • BDSS.EXE
  • BOOTSAFE.EXE
  • BOXMOD.EXE
  • BUSCAREG.EXE
  • CAFW.EXE
  • CAGLOBALLIGHT.EXE
  • CAPFASEM.EXE
  • CAPFUPGRADE.EXE
  • CATEYE.EXE
  • CATCHME.EXE
  • CAVASM.EXE
  • CCENTER.EXE
  • CCLEANER.EXE
  • CCPROVSP.EXE
  • CCSETUP210.EXE
  • CCTRAY.EXE
  • CF9409.EXE
  • CFGMNG32.EXE
  • CLAMTRAY.EXE
  • CLAMWIN.EXE
  • CMAIN.EXE
  • CMDAGENT.EXE
  • COMBOFIX.BAT
  • COMBOFIX.COM
  • COMBOFIX.EXE
  • COMBOFIX.SCR
  • COMMAND.COM
  • COMPAQ_PROPIETARIO.EXE
  • CPF.EXE
  • CPORTS.EXE
  • CPROCESS.EXE
  • CUREIT.EXE
  • DARKSPY105.EXE
  • DEFWATCH.EXE
  • DELAYDELFILE.EXE
  • DLLCOMPARE.EXE
  • DRWEB32W.EXE
  • DRWEBSCD.EXE
  • DUBATOOL_AV_KILLER.EXE
  • ELISTA.EXE
  • EMLPROUI.EXE
  • EMLPROXY.EXE
  • EULALYZERSETUP.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FIH32.EXE
  • FILEALYZ.EXE
  • FILEFIND.EXE
  • FILELOCKSETUP.EXE
  • FILEMONSV.EXE
  • FIXBAGLE.EXE
  • FIXPATH.EXE
  • FNRB32.EXE
  • FOLDERCURE.EXE
  • FPAVSERVER.EXE
  • FPORT.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FPROTTRAY.EXE
  • FPWIN.EXE
  • FP-WIN.EXE
  • FSAA.EXE
  • FSAUA.EXE
  • FSAV.EXE
  • FSAV32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • FSB.EXE
  • FSBL.EXE
  • FSDFWD.EXE
  • FSGK32.EXE
  • FSGK32ST.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • F-STOPW.EXE
  • GDFIRE~1.EXE
  • GDFIREWALLTRAY.EXE
  • GDFWSVC.EXE
  • GMER.EXE
  • GUARD.EXE
  • GUARDXKICKOFF.EXE
  • GUARDXSERVICE.EXE
  • HACKMON.EXE
  • HELIOS.EXE
  • HFACSVC.EXE
  • HIJACKTHIS.EXE
  • HIJACK-THIS.EXE
  • HIJACKTHIS_SFX.EXE
  • HIJACKTHIS_V2.EXE
  • HJ.EXE
  • HJTINSTALL.EXE
  • HJTSETUP.EXE
  • HOOKANLZ.EXE
  • HOSTSFILEREADER.EXE
  • HPCSVC.EXE
  • HSVCMOD.EXE
  • ICESWORD.EXE
  • IEFIX.EXE
  • INICIO.EXE
  • INSTALLWATCHPRO25.EXE
  • ISSDM_EN_32.EXE
  • ITMRTSVC.EXE
  • JAJA.EXE
  • K7EMLPXY.EXE
  • K7FWSRVC.EXE
  • K7PSSRVC.EXE
  • K7RTSCAN.EXE
  • K7SPMSRC.EXE
  • K7SYSTRY.EXE
  • K7TS_SETUP.EXE
  • K7TSECURITY.EXE
  • K7TSMNGR.EXE
  • KAKASETUPV6.EXE
  • KASMAIN.EXE
  • KAV.EXE
  • KAV32.EXE
  • KAVPFW.EXE
  • KAVSTART.EXE
  • KAVSVC.EXE
  • KILLAUTOPLUS.EXE
  • KILLBOX.EXE
  • KISSVC.EXE
  • KPFW32.EXE
  • KPFWSVC.EXE
  • KVMONXP.KXP
  • KVOL.EXE
  • KVSRVXP.EXE
  • KVXP.KXP
  • KWATCH.EXE
  • LISTO.EXE
  • LIVESRV.EXE
  • LORDPE.EXE
  • MAKEREPORT.EXE
  • MBAM.EXE
  • MBAM-SETUP.EXE
  • MCAGENT.EXE
  • MCSHIELD.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MDMCLS32.EXE
  • MKS_MAIL.EXE
  • MKS_SCAN.EXE
  • MKSADMINCONSOLE.EXE
  • MKSFWALL.EXE
  • MKSPC.EXE
  • MKSREGMON.EXE
  • MKSTRAY.EXE
  • MKSUPDATE.EXE
  • MKSVIRMONSVC.EXE
  • MMC.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • MSASCUI.EXE
  • MSMPENG.EXE
  • MSNCLEANER.EXE
  • MSNFIX.EXE
  • MYPHOTOKILLER.EXE
  • NAVQSCAN.EXE
  • NETALYZ.EXE
  • NETMONSV.EXE
  • NETSTAT.EXE
  • NMAIN.EXE
  • NOD32.EXE
  • NOD32CC.EXE
  • NOD32KRN.EXE
  • NOD32KUI.EXE
  • NOD32M2.EXE
  • NPCGREENAGENT.NPC
  • NSAVSVC.NPC
  • NSPMAIN.EXE
  • NSPSVC.EXE
  • NSPUPDT.EXE
  • NSPUPSVC.EXE
  • NSUTILITY.EXE
  • NSVMON.NPC
  • NTVDM.EXE
  • OBJMONSETUP.EXE
  • OLLYDBG.EXE
  • ONLINENT.EXE
  • ONLNSVC.EXE
  • OP_MON.EXE
  • OTMOVEIT.EXEMBAM-SETUP.EXE
  • P08PROMO.EXE
  • PAVARK.EXE
  • PAVBCKPT.EXE
  • PAVFNSVR.EXE
  • PAVPRSRV.EXE
  • PAVSRV51.EXESRVLOAD.EXE
  • PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGE
  • PCTSAUXS.EXE
  • PCTSGUI.EXE
  • PCTSSVC.EXE
  • PCTSTRAY.EXE
  • PENCLEAN.EXE
  • PG2.EXE
  • PGSETUP.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PPCLTPRIV.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXP.EXE
  • PROCMON.EXE
  • PROJECTWHOISINSTALLER.EXE
  • PSCTRLS.EXE
  • PSHOST.EXE
  • PSIMSVC.EXE
  • PSKILL.EXE
  • PSKMSSVC.EXE
  • PUSCAN.EXE
  • QHFW332.EXE
  • QOELOADER.EXE
  • QUHLPSVC.EXE
  • RAVLITE.EXE
  • RAVMOND.EXE
  • RAVP.EXEMBAM.EXE123.COM
  • RAVTASK.EXE
  • REANIMATOR.EXE
  • REG.EXE
  • REGALYZ.EXE
  • REGCOOL.EXE
  • REGEDIT.COM
  • REGEDIT.EXE
  • REGEDIT.SCR
  • REGISTRAR_LITE.EXE
  • REGMON.EXE
  • REGSCANNER.EXE
  • REGSHOT.EXE
  • REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGREN
  • REGX2.EXE
  • RKD.EXE
  • ROOTALYZER.EXE
  • ROOTKIT_DETECTIVE.EXE
  • ROOTKITBUSTER.EXE
  • ROOTKITNO.EXE
  • ROOTKITREVEALER.EXE
  • RTVSCAN.EXE
  • SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTS
  • SAVADMINSERVICE.EXE
  • SAVSERVICE.EXE
  • SBAMSVC.EXE
  • SBAMTRAY.EXE
  • SBAMUI.EXE
  • SCANMSG.EXE
  • SCANWSCS.EXE
  • SCFMANAGER.EXE
  • SCFSERVICE.EXE
  • SDFIX.EXE
  • SEEM.EXE
  • SENSOR.EXE
  • SFCTLCOM.EXE
  • SCHED.EXE
  • SPF.EXE
  • SPIDERML.EXE
  • SPIDERNT.EXE
  • SPIDERUI.EXE
  • SPYBOTSD.EXE
  • SPYBOTSD160.EXE
  • SRENGLDR.EXE
  • SRENGPS.EXE
  • SRESTORE.EXE
  • STARTDRECK.EXE
  • STRTSVC.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERKILLER.EXE
  • SVCPRS32.EXE
  • SYSANALYZER_SETUP.EXE
  • TASKKILL.EXE
  • TASKLIST.EXE
  • TASKMAN.EXE
  • TASKMON.EXE
  • TASKSCHEDULER.EXE
  • TCPVIEW.EXE
  • TEATIMER.EXE
  • TISSPWIZ.EXE
  • TMBMSRV.EXE
  • TMPFW.EXE
  • TMPROXY.EXE
  • TNBUTIL.EXE
  • TPSRV.EXE
  • TrendMicro_TISPro_16.1_1063_x32.EXE
  • TSCFCOMMANDER.EXE
  • UFNAVI.EXE
  • UFSEAGNT.EXE
  • UISCAN.EXE
  • ULIBCFG.EXE
  • UMXAGENT.EXE
  • UMXCFG.EXE
  • UMXFWHLP.EXE
  • UMXPOL.EXE
  • UNHACKME.EXE
  • UNIEXTRACT.EXE
  • UNLOCKER1.8.7.EXE
  • UPDATE.EXE
  • UPSCHD.EXE
  • VBA32ADS.EXE
  • VBA32LDR.EXE
  • VBA32-PERSONAL-LATEST-ENGLISH.EXE
  • VIPRE.EXE
  • VIRUS.EXE
  • VIRUSUTILITIES.EXE
  • VRFWSVC.EXE
  • VRMONNT.EXE
  • VRMONSVC.EXE
  • VSMON.EXE
  • VSSERV.EXE
  • WEBPROXY.EXE
  • WINDOWS-KB890930-V2.2.EXE
  • WIRESHARK.EXE
  • WITSETUP.EXE
  • XCOMMSVR.EXE
  • ZLCLIENT.EXE

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • web.world1shop.com (TCP:47221)
  • web.unibaq.com (TCP:47221)
  • web.installloader.com (TCP:47221)
  • web.installloader.cn (TCP:47221)
  • web.tamiflushop.net (TCP:47221)
  • web.world1business.net (TCP:47221)
  • web.world1music.info (TCP:47221)
  • web.tamiflushop.org (TCP:47221)

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • remove itself from the infected computer
  • perform port scanning

The worm may create the following files:

  • c:\­windows\­log32.txt
  • %temp%\­removeMe%random1%.bat
  • %temp%\­eraseme_%random2%.exe

A string with variable content is used instead of %random1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.