McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.Ircbot.CU (BitDefender)

• Backdoor.Win32.IRCBot.cu (Kaspersky)

• Troj/Bckdr-AM (Sophos)

• W32/Akbot.A.worm (Panda)

• W32/Bckdr.AM-wm (Fortinet)

Characteristics

W32/Akbot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\mswm32.exe

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft WM" = "%Windir%\%SYSDIR%\mswm32.exe"

Symptoms

W32/Akbot attempts to join the following IRC servers listening on TCP port 6564 and waits for instructions.

61.78.52.242
218.145.175.124
218.154.93.112

Once connected to the IRC server, a remote attacker can use the bot to perform various tasks such as:

• Gather system information (CPU, RAM, OS Version, User name, Computer name, IP Address)
• Download and Execute files
• Perform DDos
• Kill processes
• Uninstall bot

Method of Infection

W32/Akbot scans for vulnerable machines on the network, and uses the following Microsoft vulnerability to spread.

• LSASS exploit - MS04-011

Once the attack on a vulnerable computer is successful, it issues a ftp command to download a copy of itself from a compromised machine.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.Ircbot.CU (BitDefender)

• Backdoor.Win32.IRCBot.cu (Kaspersky)

• Troj/Bckdr-AM (Sophos)

• W32/Akbot.A.worm (Panda)

• W32/Bckdr.AM-wm (Fortinet)

Characteristics

Characteristics -

W32/Akbot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\mswm32.exe

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft WM" = "%Windir%\%SYSDIR%\mswm32.exe"

Symptoms

Symptoms -

W32/Akbot attempts to join the following IRC servers listening on TCP port 6564 and waits for instructions.

61.78.52.242
218.145.175.124
218.154.93.112

Once connected to the IRC server, a remote attacker can use the bot to perform various tasks such as:

• Gather system information (CPU, RAM, OS Version, User name, Computer name, IP Address)
• Download and Execute files
• Perform DDos
• Kill processes
• Uninstall bot

Method of Infection

Method of Infection -

W32/Akbot scans for vulnerable machines on the network, and uses the following Microsoft vulnerability to spread.

• LSASS exploit - MS04-011

Once the attack on a vulnerable computer is successful, it issues a ftp command to download a copy of itself from a compromised machine.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A