Win32/IRCBot [Threat Name] go to Threat

Win32/IRCBot.OO [Threat Variant Name]

Category trojan
Detection created Jul 26, 2005
Detection database version 1345
Short description

Win32/IRCBot.OO is an IRC controlled backdoor . It is able to spread via IM networks. The file is run-time compressed using MEW .

Installation

When executed, the backdoor copies itself into the %system% folder using the following name:

  • vgavn.exe

The backdoor registers itself as a system service using the following name:

  • Windows Genuine Advantage Validation Notification

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Ole]
    • "EnableDCOM" = "n"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­security center]
    • "antivirusdisablenotify" = 1
    • "antivirusoverride" = 1
    • "\­firewalldisablenotify" = 1
    • "firewalldisableoverride" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­windowsfirewall\­domainprofile]
    • "enablefirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­windowsfirewall\­standardprofile]
    • "enablefirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wgavn]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­wgavn.exe"
    • "DisplayName" = "Windows Genuine Advantage Validation Notification"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability."
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wgavn\­Enum]
    • "0" = "Root\­LEGACY_WGAVN\­0000"
    • "Count" = 1
    • "NextInstance" = (1)
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "restrictanonymous" = 1
    • "restrictanonymoussam" =1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­lanmanserver\­parameters]
    • "autoshareserver" = 0
    • "autosharewks" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WGAVN]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WGAVN\­0000]
    • "Service" = "wgavn"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "Windows Genuine Advantage Validation Notification"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet00<%variable%>\­Enum\­Root\­LEGACY_WGAVN\­0000]
    • "Class" = "LegacyDriver"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_WGAVN\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "wgavn"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
Spreading via IM networks

The backdoor sends links to AOL Instant Messenger users.


If the link is clicked a copy of the backdoor is downloaded.

Other information

The backdoor connects to the following addresses:

  • ljrpq.haxx.biz
  • eepny.stjohnspark.net

The IRC protocol is used.


It can be controlled remotely.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • various filesystem operations
  • perform DoS/DDoS attacks

Please enable Javascript to ensure correct displaying of this content and refresh this page.