Home / malwarePDF  

Worm:Win32/IRCbot.K


First posted on 07 January 2012.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/IRCbot.K.

Explanation :

Backdoor:Win32/IRCbot.K is a worm that spreads via removable drives. It connects to a remote IRC server, where it may receive and execute commands from a remote attacker, including updating itself, and participating in Distributed Denial of Service (DDoS) attacks.


Top

Backdoor:Win32/IRCbot.K is a worm that spreads via removable drives. It connects to a remote IRC server, where it may receive and execute commands from a remote attacker, including updating itself, and participating in Distributed Denial of Service (DDoS) attacks.



Installation

When executed, Backdoor:Win32/IRCbot.K copies itself with 'hidden', 'read-only' and 'system' attributes to "%UserProfile%\winusbsmgr.exe".

The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:"MicrosoftUpdateServices"
With data: "%UserProfile%\winusbsmgr.exe"

It creates a mutex such as "v86cf6cuvu" to ensure that no more than one copy of itself runs at any time.

Backdoor:Win32/IRCbot.K injects code into the following processes:

  • Regedit.exe
  • Taskmgr.exe


It also drops the file "%AppData%\gufuztzvz.txt".

Spreads via...

Removable drives
Every 30 seconds, the malware checks whether a removable drive has been attached to the computer. If so it creates a folder named "23767859" in the removable drive, for example, "G:\23767859" or "F:\23767859". It creates a copy of itself based on existing folder names in the removable drive. For example, if a folder in the removable drive is named "My Documents", then the worm creates a copy of itself as "G:\23767859\My Documents.exe". It then creates a shortcut file in the removable drive that points to its copy. The shortcut file name has the following format: "<malware copy>s.lnk", for example, "My Documentss.lnk".



Payload

Allows backdoor access and control

Backdoor:Win32/IRCbot.K attempts to connect to an IRC channel and wait for commands. Once connected, it may allow an attacker to perform certain actions on the affected computer, such as the following:

  • Disconnect from the server, and reconnect again
  • Execute specified commands using a command prompt
  • Participate in UDP-based Distributed Denial of Service (DDoS) attacks
  • Send information such as the locale of the system, and the local time
  • Stop running
  • Update itself
  • Visit websites




Analysis by Patrick Estavillo

Last update 07 January 2012

 

TOP

Malware :

Family: