McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BKDR_SDBOT.441B1 (Trend)

• Troj/Ircbot-M (Sophos)

• W32.IRCBot.B (Symantec)

Characteristics

This threat is considered to be a Low-Profiled risk due to media attention at: http://theinquirer.net/?article=11983

McAfee customers are proactively protected from this threat when using the 4245 DAT files (or newer) and the scanning of compressed executables option is enabled (default setting).  The threat will be identified as IRC-Sdbot or W32/Sdbot.worm.gen.

This is not a virus, but a trojan, which does not self replicate.  However, it was recently spammed to a large number of email addresses with the following message:

From: updates@symantec.com
Subject: Last Update.
Body:
October 06, 2003
Intruder Alert 4.1 W32_Webb_Worm Policy
This policy detects the propagation of the W32.SobigF.Worm through
changes in the registry.

W32.Webb.F@mm is a mass-mailing, network-aware worm that sends
itself to all the email addresses it finds in various files.
The worm uses its own SMTP engine to propagate and attempts
to create a copy of itself on accessible network shares, but
fails due to bugs in the code.

In attachment you can find program that update your Norton Antivirus to
Norton Antivirus 2004.

Attachment: nav32.zip

The nav32.zip attachment contains the file nav32.exe.  When the executable is extracted and run, the trojan copies itself to the WINDOWS SYSTEM directory as RPCX1sq23.exe and a registry run key is created to load the trojan at startup:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "windowsupdate" = RPCX1sq23.exe R

The trojan attempts to connect to the IRC server itc.ourmoney.pp.ru , join a specified channel, and wait for commands from a remote attacker.  Commands included:

1. Retrieve system information (CPU, RAM, Driver space, Uptime, Windows version, IP address)
2. Download and execute files
3. Kill running processes
4. Denial of Service attack

Symptoms

- Unexpected TCP connection to itc.ourmoney.pp.ru
- Presence of the file RPCX1sq23.exe

Method of Infection

This trojan was spammed to a large number of email addresses.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BKDR_SDBOT.441B1 (Trend)

• Troj/Ircbot-M (Sophos)

• W32.IRCBot.B (Symantec)

Characteristics

Characteristics -

This threat is considered to be a Low-Profiled risk due to media attention at: http://theinquirer.net/?article=11983

McAfee customers are proactively protected from this threat when using the 4245 DAT files (or newer) and the scanning of compressed executables option is enabled (default setting).  The threat will be identified as IRC-Sdbot or W32/Sdbot.worm.gen.

This is not a virus, but a trojan, which does not self replicate.  However, it was recently spammed to a large number of email addresses with the following message:

From: updates@symantec.com
Subject: Last Update.
Body:
October 06, 2003
Intruder Alert 4.1 W32_Webb_Worm Policy
This policy detects the propagation of the W32.SobigF.Worm through
changes in the registry.

W32.Webb.F@mm is a mass-mailing, network-aware worm that sends
itself to all the email addresses it finds in various files.
The worm uses its own SMTP engine to propagate and attempts
to create a copy of itself on accessible network shares, but
fails due to bugs in the code.

In attachment you can find program that update your Norton Antivirus to
Norton Antivirus 2004.

Attachment: nav32.zip

The nav32.zip attachment contains the file nav32.exe.  When the executable is extracted and run, the trojan copies itself to the WINDOWS SYSTEM directory as RPCX1sq23.exe and a registry run key is created to load the trojan at startup:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "windowsupdate" = RPCX1sq23.exe R

The trojan attempts to connect to the IRC server itc.ourmoney.pp.ru , join a specified channel, and wait for commands from a remote attacker.  Commands included:

1. Retrieve system information (CPU, RAM, Driver space, Uptime, Windows version, IP address)
2. Download and execute files
3. Kill running processes
4. Denial of Service attack

Symptoms

Symptoms -

- Unexpected TCP connection to itc.ourmoney.pp.ru
- Presence of the file RPCX1sq23.exe

Method of Infection

Method of Infection -

This trojan was spammed to a large number of email addresses.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A