| Malware name | Worm.IrcBot.19968.20 | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 175528310DA902DBBE27F005815A2B79 | | Static file | yes | | Filesize | 19,968 Bytes | Alias names
(also known as) | | Sophos | Troj/IRCBot-ABO | | McAfee | W32/IRCbot.gen.a | | CA ETrust | Win32/IRCBot.CG |
| | Protection | | Webwasher Anti Malware | 7000.4015.x |
| | Side effects | - Blocks access to certain websites
- Blocks access to security websites
- Registry modification
- Third party control
|
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\initserv.exe
It deletes the initially executed copy of itself.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• Microsoft Initialization Services="initserv.exe"
Messenger
It is spreading via Messenger. The characteristics are described below:
– MSN Messenger
To: All entries in the contact list.
Rootkit Technology
It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
Hides the following: – Its own process
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: nagasaki.japancorporation.**********
Port: 9103
Server password: su1c1d3
Channel: #net
Nickname: \00\USA\
%10 digit random character string% Password: n3t!
– This malware has the ability to collect and send information such as:
• Platform ID
• Information about the Windows operating system
– Furthermore it has the ability to perform actions such as:
• connect to IRC server
• Download file
• Edit registry
• Execute file
• Leave IRC channel
• Start spreading routine
• Visit a website
Hosts
The host file is modified as explained:
– In this case existing entries are deleted.
– Access to the following domains is effectively blocked:
• jayloden.com; www.jayloden.com; www.spywareinfo.com; spywareinfo.com;
www.spybot.info; spybot.info; kaspersky.com; kaspersky-labs.com;
www.kaspersky.com; www.majorgeeks.com; majorgeeks.com;
securityresponse.symantec.com; symantec.com; www.symantec.com;
updates.symantec.com; liveupdate.symantecliveupdate.com;
liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
www.sophos.com; sophos.com; www.virustotal.com; virustotal.com;
www.mcafee.com; mcafee.com; rads.mcafee.com; mast.mcafee.com;
download.mcafee.com; dispatch.mcafee.com; us.mcafee.com;
www.trendsecure.com; trendsecure.com; www.viruslist.com;
viruslist.com; www.hijackthis.de; hijackthis.de; f-secure.com;
www.f-secure.com; Merijn.org; www.Merijn.org; www.avp.com; avp.com;
analysis.seclab.tuwien.ac.at; www.bleepingcomputer.com;
bleepingcomputer.com; trendmicro.com; www.trendmicro.com;
www.safer-networking.org; safer-networking.org; grisoft.com;
www.grisoft.com
The modified host file will look like this:
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
