Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.FC [Threat Variant Name]

Category worm
Size 81920 B
Detection created Apr 22, 2010
Detection database version 10120
Aliases Net-Worm.Win32.Mytob.gvm (Kaspersky)
  W32.IRCBot.Gen (Symantec)
  Trojan:Win32/Qhost.gen!D (Microsoft)
Short description

Win32/AutoRun.IRCBot.FC is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­winnt.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Terminal Server\­Install\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Policy Management" = "winnt.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarepath%" = "%malwarepath%:*:Enabled:Windows Policy Management"

The performed data entry creates an exception in the Windows Firewall program.


The worm quits immediately if it detects a running process containing one of the following strings in its name:

  • Wireshark
  • tcpview
  • filemon
  • procmon

The worm quits immediately if the Windows user name is one of the following:

  • sandbox
  • honey
  • vmware
  • currentuser

The worm quits immediately if it is run within a debugger.

Spreading

The worm inserts a copy of itself into RAR archives.


The file name is randomly generated.

Spreading via IM networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via IM networks.


If MSN Live Messenger, Yahoo! Messenger, AIM is installed on the infected system, the worm sends a message with a URL to all contacts.


If the link is clicked a copy of the worm is downloaded.

Spreading on removable media

The worm creates the following folders:

  • %drive%\­driver\­usb

The following files are dropped into the %drive%\driver\usb folder:

  • %variable% (81920 B)
  • desktop.ini

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


A string with variable content is used instead of %variable% .

Spreading via P2P networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via P2P networks.


The worm searches for shared folders of the following programs:

  • Bearshare
  • eDonkey2000
  • eMule
  • Grokster
  • ICQ
  • Kazaa
  • Kazaa Lite
  • Limewire
  • Morpheus
  • Tesla
  • WinMX

It tries to place a copy of itself into the folders.


The following names are used:

  • Autoloader.exe
  • DDOSPING.exe
  • Ebooks.exe
  • FREEPORN.exe
  • fuckshitcunt.scr
  • headjobs.scr
  • HotmailHacker.exe
  • How-to-make-money.exe
  • ilovetofuck.scr
  • image.scr
  • LimeWireCrack.exe
  • MSNHacks.exe
  • paris-hilton.scr
  • Porno.MPEG.exe
  • porno.scr
  • RapidsharePREMIUM.exe
  • ScreenMelter.exe
  • VistaUltimate-Crack.exe
  • WildHorneyTeens.scr
  • Wireshark.exe
  • YahooCracker.exe
Other information

The worm acquires data and commands from a remote computer or the Internet. The IRC protocol is used.


The worm connects to the following addresses:

  • alpha20.ishell.net

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • retrieve information from protected storage and send it to the remote computer
  • collect information about the operating system used
  • send gathered information
  • perform DoS/DDoS attacks
  • set up a proxy server

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 kaspersky-labs.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 virustotal.com
  • 127.0.0.1 www.virustotal.com
  • 127.0.0.1 virscan.org
  • 127.0.0.1 www.virscan.org
  • 127.0.0.1 scanner.novirusthanks.org
  • 127.0.0.1 www.scanner.novirusthanks.org
  • 127.0.0.1 virusscan.jotti.org
  • 127.0.0.1 www.virusscan.jotti.org
  • 127.0.0.1 threatexpert.com
  • 127.0.0.1 ask.com

This way the worm blocks access to specific websites.


The worm may execute the following commands:

  • netsh firewall add allowedprogram 1.exe 1 ENABLE

Please enable Javascript to ensure correct displaying of this content and refresh this page.