Content

W32/Polybot.gen!irc

Type
Virus
SubType
Internet Worm
Discovery Date
03/01/2004
Length
220-280 kb
Minimum DAT
4333 (03/03/2004)
Updated DAT
4722 (03/20/2006)
Minimum Engine
5.1.00
Description Added
03/10/2004
Description Modified
03/16/2004 1:10 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update 16th March, 2004--
A new variant of this virus family has been discovered. It currently uses the filename soundman.exe (278, 528 bytes). Detection for this will be added into the 4339 DATs as W32/Polybot.l!irc
--

This is a family of polymorphic IRC bots based on W32/Gaobot.worm group. At the time of writing the family had 19 variants (of which 3 were intended and could not replicate properly).

The polymorphism in W32/Polybot worms is achieved by adding an "envelope" over a compiled HLL program of the worm. The envelope code reencrypts the whole file every time it runs.

There are several other very closely related IRC bot families based on widely circulated Sdbot sources - IRC-Sdbot , W32/Sdbot.worm , W32/Randbot.worm , W32/Gaobot.worm . Total number of variants in all these families is growing very rapidly and exceeds 1700 different samples. These IRC bots provide backdoor capabilities using IRC channels for communication.

For maximum protection users are recommended to:

  • use the latest engine/DAT combination
  • ensure the scanning of compressed files is enabled

The following variants of W32/Polybot have been found so far:

 Filename  Filesize  Minimum DAT
 SRVHOST.EXE  221,184  4333
 SRVHOST.EXE  221,649  4333
 SOUNDMAN.EXE  245,760  4336
 SOUNDMAN.EXE  241,664  4336
 CPSDV.EXE  229,376  4336
 SRVHOST.EXE  225,280  4336
 SRVHOST.EXE  241,664  4336
 NAVAPSVC.EXE  249,856  4337
 WINCRT32.EXE  245,760  4337
 SYSPOOL.EXE  249,856  4337
 WINCRT32.EXE  241,664  4337
 WININET.DLL  241,465  4337
 IPCONFIG.EXE  240,453  4337
 SOUNDMAN.EXE  278,528  4339

Symptoms

  • Detection of a file in your %system% folder
  • Unexpected traffic on port 6667 to an external IRC server

Method of Infection

All these worms copy themselves to %system% folder when they are first executed on the system.

Some of them may use Exploit-DcomRpc to propagate to other computers or try to spread through open shares.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Agobot.fd (AVP)
  • Backdoor.Agobot.fe (AVP)
  • Backdoor.Agobot.ff (AVP)
  • BDS/Agobot.241664 (H+BEDV)
  • W32/Dsbot!irc
  • W32/Polybot.a!irc
  • W32/Polybot.b!irc
  • W32/Polybot.c!irc
  • W32/Polybot.d!irc
  • W32/Polybot.e!irc
  • W32/Polybot.f!irc
  • W32/Polybot.g!irc
  • W32/Polybot.h!irc
  • W32/Polybot.i!irc
  • W32/Polybot.j!irc
  • W32/Polybot.k!irc
  • Win32/HLLW.PolySpyBot (RAV)

Characteristics

Characteristics -

-- Update 16th March, 2004--
A new variant of this virus family has been discovered. It currently uses the filename soundman.exe (278, 528 bytes). Detection for this will be added into the 4339 DATs as W32/Polybot.l!irc
--

This is a family of polymorphic IRC bots based on W32/Gaobot.worm group. At the time of writing the family had 19 variants (of which 3 were intended and could not replicate properly).

The polymorphism in W32/Polybot worms is achieved by adding an "envelope" over a compiled HLL program of the worm. The envelope code reencrypts the whole file every time it runs.

There are several other very closely related IRC bot families based on widely circulated Sdbot sources - IRC-Sdbot , W32/Sdbot.worm , W32/Randbot.worm , W32/Gaobot.worm . Total number of variants in all these families is growing very rapidly and exceeds 1700 different samples. These IRC bots provide backdoor capabilities using IRC channels for communication.

For maximum protection users are recommended to:

  • use the latest engine/DAT combination
  • ensure the scanning of compressed files is enabled

The following variants of W32/Polybot have been found so far:

 Filename  Filesize  Minimum DAT
 SRVHOST.EXE  221,184  4333
 SRVHOST.EXE  221,649  4333
 SOUNDMAN.EXE  245,760  4336
 SOUNDMAN.EXE  241,664  4336
 CPSDV.EXE  229,376  4336
 SRVHOST.EXE  225,280  4336
 SRVHOST.EXE  241,664  4336
 NAVAPSVC.EXE  249,856  4337
 WINCRT32.EXE  245,760  4337
 SYSPOOL.EXE  249,856  4337
 WINCRT32.EXE  241,664  4337
 WININET.DLL  241,465  4337
 IPCONFIG.EXE  240,453  4337
 SOUNDMAN.EXE  278,528  4339

Symptoms

Symptoms -

  • Detection of a file in your %system% folder
  • Unexpected traffic on port 6667 to an external IRC server

Method of Infection

Method of Infection -

All these worms copy themselves to %system% folder when they are first executed on the system.

Some of them may use Exploit-DcomRpc to propagate to other computers or try to spread through open shares.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A