Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.HJ [Threat Variant Name]

Category worm
Size 71169 B
Aliases Trojan.ADH.2 (Symantec)
  Trojan:Win32/Malex (Microsoft)
  Generic.dx!ycv (McAfee)
Short description

Win32/AutoRun.IRCBot.HJ is a worm that spreads via removable media and IM networks.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­svchosts.exe (71169 B)

The worm may create the following files:

  • %temp%\­google_cache2.tmp
  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Svhosts System" = "%appdata%\­svchosts.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Svhosts System" = "%appdata%\­svchosts.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­svchosts.exe" = "%appdata%\­svchosts.exe:*:Enabled:Windows Svhosts System"

The performed data entry creates an exception in the Windows Firewall program.

Spreading via IM networks

Win32/AutoRun.IRCBot.HJ is a worm that spreads via IM networks.


The worm sends links to MSN users.


The worm spreads through links which point to websites containing malware.


The messages contain the follwoing text:

  • Have you seen this? lol! %url%
  • my god this is how jesus used to look :o :o ??? %url%
  • check for me if its working please :S %url%
  • your video ???? heheheh lol! %url%
  • your photo? %url%
  • heheheheeheeee! %url%
  • new pictures hehehehehe lol! %url%
  • guardare quest lol! %url%
  • You know someone tried to kill obama today!? %url%
  • bekijk deze lol! %url%
  • mira esta lol! %url%
  • Facebook desktop application, update your facebook from your desktop!! %url%
  • check this looooooooooool %url%

If the link is clicked a copy of the worm is downloaded.

Spreading on removable media

Win32/AutoRun.IRCBot.HJ is a worm that spreads via removable media.


The worm copies itself to the following location:

  • %drive%\­AEXRGYH\­DFG-2352-26235-2322322-624621221-2622255\­usbdrivers.exe

The following file is dropped in the same folder:

  • Desktop.ini

The worm creates the following file:

  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address. The IRC protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • collect information about the operating system used
  • spread via IM networks
  • open a specific URL address
  • update itself to a newer version
  • remove itself from the infected computer
  • send gathered information

The worm can modify the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 127.0.0.1 www.pandasoftware.com
  • 127.0.0.1 www.norton.com
  • 127.0.0.1 www.nod32.com
  • 127.0.0.1 www.microsoft.com
  • 127.0.0.1 www.macafee.com
  • 127.0.0.1 www.kaspersky-labs.com
  • 127.0.0.1 www.hotmail.com
  • 127.0.0.1 www.download.mcafee.com
  • 127.0.0.1 pandasoftware.com
  • 127.0.0.1 norton.com
  • 127.0.0.1 nod32.com
  • 127.0.0.1 microsoft.com
  • 127.0.0.1 macafee.com
  • 127.0.0.1 bitdefender.com
  • 127.0.0.1 www.virusscan.jotti.org
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 www.virscan.org
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 virustotal.com
  • 127.0.0.1 virusscan.jotti.org
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 virscan.org
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 threatexpert.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 scanner.novirusthanks.org
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 kaspersky-labs.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 avp.com

The worm interferes with the operation of some security applications to avoid detection.


The worm alters the behavior of the following processes:

  • avp.exe
  • norton.exe
  • ccsvchst.exe
  • kaspersky.exe
  • mcafee.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.