Content

W32/IRCbot.gen.a

Type
Virus
SubType
Generic
Discovery Date
11/29/2005
Length
Minimum DAT
4639 (11/29/2005)
Updated DAT
5808 (11/20/2009)
Minimum Engine
5.2.00
Description Added
11/29/2005
Description Modified
04/06/2009 1:54 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update April 6, 2009--

A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.

Characterisitcs unique to this variant include:

W32/IRCbot.gen.a copies itself to the following folder:

  • %Windir%\netmon.exe

(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

W32/IRCbot.gen.a also drops the following file:

  • %WinDir%\drivers\sysdrv32.sys

It will attempt communication with a remote IRC server using the following credentials:

  • PASS h4xg4ng
  • NICK [00-USA-XP-9215671]
  • USER SP2-ojd, followed by the name of the infected computer.

Attempts to connect to the following domains:

  • hxxp://98.1[removed]
  • hxxp://74.2[removed]

---Update on October 03,2008--

Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:

  • %WinDir%\system32\vista.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks the system startup by adding the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"

It attempts to connect with the remote IRC server:

  • glbnt.opendns.be

--------------------------------------

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.

Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. 

Some of the additional files it has been observed to drop into the  %SYSTEM%\drivers directory are:

  • nwlnkpw.sys
  • nwlnkus.sys
  • nwlnkad.sys
  • nwlnked.sys
  • nwlnkcm.sys
  • nwlnkra.sys
  • nwlnkcr.sys

During testing the following registry entries were added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareServer =  0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareServer = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareWks = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E

During the time of testing, the following registry entries were modified

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous: 0x00000000 was modified to
    • restrictanonymous: 0x00000002

http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx  provides information regarding the significance of the restrictanonymous value

Symptoms

Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.

Method of Infection

Either manual execution or by exploiting network sevice vulnerabilities

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update April 06, 2009 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.eweek.com/c/a/Security/Microsoft-Old-Worm-Copies-Conficker-For-New-Twist-263527/?kc=rss

--

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another.

Characteristics

Characteristics -

--Update April 6, 2009--

A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.

Characterisitcs unique to this variant include:

W32/IRCbot.gen.a copies itself to the following folder:

  • %Windir%\netmon.exe

(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

W32/IRCbot.gen.a also drops the following file:

  • %WinDir%\drivers\sysdrv32.sys

It will attempt communication with a remote IRC server using the following credentials:

  • PASS h4xg4ng
  • NICK [00-USA-XP-9215671]
  • USER SP2-ojd, followed by the name of the infected computer.

Attempts to connect to the following domains:

  • hxxp://98.1[removed]
  • hxxp://74.2[removed]

---Update on October 03,2008--

Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:

  • %WinDir%\system32\vista.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks the system startup by adding the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"

It attempts to connect with the remote IRC server:

  • glbnt.opendns.be

--------------------------------------

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.

Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. 

Some of the additional files it has been observed to drop into the  %SYSTEM%\drivers directory are:

  • nwlnkpw.sys
  • nwlnkus.sys
  • nwlnkad.sys
  • nwlnked.sys
  • nwlnkcm.sys
  • nwlnkra.sys
  • nwlnkcr.sys

During testing the following registry entries were added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareServer =  0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareServer = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareWks = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E

During the time of testing, the following registry entries were modified

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous: 0x00000000 was modified to
    • restrictanonymous: 0x00000002

http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx  provides information regarding the significance of the restrictanonymous value

Symptoms

Symptoms -

Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.

Method of Infection

Method of Infection -

Either manual execution or by exploiting network sevice vulnerabilities

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A