Home / malwarePDF  

Worm:Win32/IRCbot.B


First posted on 17 September 2010.
Source: SecurityHome

Aliases :

Worm:Win32/IRCbot.B is also known as W32/VB.CXJ (Authentium (Command)), IM-Worm.Win32.Yahos.cb (Kaspersky), Worm.Yahos.AS (VirusBuster), Worm/VB.BDDA (AVG), Worm/Yahos.CB (Avira), Win32.HLLW.Oscar.12 (Dr.Web), IM-Worm.Win32.Yahos (Ikarus), W32/Gaobot.OXI.worm (Panda), W32.IRCBot (Symantec), WORM_YIMBOT.A (Trend Micro).

Explanation :

Worm:Win32/IRCbot.B is a worm that may spread to other computers by sending a link to itself to a user's contact on Yahoo! Messenger and Skype. It allows backdoor access and control of the computer, as well as stops the Windows Update service.
Top

Worm:Win32/IRCbot.B is a worm that may spread to other computers by sending a link to itself to a user's contact on Yahoo! Messenger and Skype. It allows backdoor access and control of the computer, as well as stops the Windows Update service. Installation Worm:Win32/IRCbot.B may drop a copy of itself as the following:

  • %windir%\jusched.exe
    • It creates the following registry modifications so that its copy automatically executes everytime Windows starts: In subkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ Sets value: "Java developer Script Browse" With data: "%windir%\jusched.exe" Worm:Win32/IRCbot.B may create the following mutex:
  • "Micro Upe"
    • It may bypass the Windows Firewall by adding the following registry entry: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Sets value: "<currently running malware file>" With data: "<currently running malware file>:*:enabled:java developer script browse" Spreads via... Instant messaging and communication programs Worm:Win32/IRCbot.B may attempt to spread to other computers by sending a link to a hosted copy to a user's contacts in Yahoo! Messenger or Skype. It performs its spreading routine as part of its backdoor functionalities. Payload Allows backdoor access and control Worm:Win32/IRCbot.B attempts to connect to the remote IRC server 142.45.184.0 on port 1234 to wait for commands. Some of these commands include the following:
  • propagate via Yahoo! Messenger or Skype
  • inject IFrames into visited webpages
  • urge users to complete a survey to access web content
    • Stops services Worm:Win32/IRCbot.B may attempt to stop the Windows Update service by running the following commands: net stop wuauserv sc config wuauserv start= disabled Drops other files Worm:Win32/IRCbot.B may drop the following files in the Windows folder; these files are not malicious:
  • mdll.dl
  • wintybrd.png
  • wintybrdf.jpg
    • Download arbitrary files Worm:Win32/IRCbot.B attempts to connect to 142.45.183.251 to download arbitrary files. As of this writing, the server is unavailable. Additional information Worm:Win32/IRCbot.B opens the browser to the following URL in an attempt to distract the user while it performs its malicious routines: http://browseusers.myspace.com/Browse/Browse.aspx

    Analysis by Andrei Florin Saygo

    Last update 17 September 2010

     

    TOP

    Malware :

    Family: