Win32/IRCBot [Threat Name] go to Threat

Win32/IRCBot.AMC [Threat Variant Name]

Category trojan,worm
Size 94440 B
Aliases Worm:Win32/Neeris.gen!D (Microsoft)
  BackDoor-EFR.trojan (McAfee)
  Win32:Inject-XW (Avast)
  TR/Hamweq.A (Avira)
  Backdoor.SDBot.DGBA (BitDefender)
Short description

Win32/IRCBot.AMC is a worm that spreads via removable media and by exploiting the CVE-2010-2729 vulnerability.


When executed, the worm copies itself into the following location:

  • %windir%\­system\­1sass.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "lsass" = "%windir%\­system\­1sass.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­lsass]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­lsass]
    • "(Default)" = "Service"

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­system\­1sass.exe" = "%windir%\­system\­1sass.exe:*:Microsoft Enabled"

The performed data entry creates an exception in the Windows Firewall program.

The worm may create the following files:

  • %windir%\­system32\­drivers\­sysdrv32.sys (11656 B, Win32/TCPZ.A)

The worm may install the following system drivers (path, name):

  • %windir%\­system32\­drivers\­sysdrv32.sys, sysdrv32

The worm quits immediately if the user name is one of the following:

  • sandbox
  • vmware

After the installation is complete, the worm deletes the original executable file.


The worm searches for computers in the local network.

It connects to remote machines and tries to exploit the CVE-2010-2729 .

If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm .

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Key-Installer.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/IRCBot.AMC is a worm that steals sensitive information.

The worm collects the following information:

  • computer name
  • information about the operating system and system settings
  • operating system version

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (1) addresses. The IRC protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

The worm opens a random TCP port. An HTTP server is listening there.

The worm hides its running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.