Content
W32/IRCbot.gen.a
- Type
- Virus
- SubType
- Win32
- Discovery Date
- 11/29/2005
- Length
- varies
- Minimum DAT
- 4639 (11/29/2005)
- Updated DAT
- 6597 (01/22/2012)
- Minimum Engine
- 5.4.00
- Description Added
- 11/29/2005
- Description Modified
- 09/22/2011 8:33 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update Sept22, 2011 --
File Information
- MD5 -ad1d82cb647d82e30512a8551788420a
- MD5 -9a3369c83f417fc72820026e4d2cd3fd
Aliases
- Microsoft Trojan:Win32/Ircbrute
- DrWeb BackDoor.IRC.Bot.416
- Ikarus Net-Worm.Win32.Kolab
- ETrust-Vet Win32/IRCBot.JJG
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.
- %SystemDrive%\WINDOWS\System.exe
The following files are dropped in:
- [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\Desktop.ini
- [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
autorun]
[autorun[
[autorun]
open=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAuTOPLAY=1
shell\\open\\command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
shell\\Explore\\Command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
The following registry keys has been added to the system.:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
%SystemDrive%\WINDOWS\System.exe
The following registry values have been added to the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
%SystemDrive%\WINDOWS\System.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysdiag64.exe"
%SystemDrive%\WINDOWS\System.exe
The above two registry entries confirms that, the Trojan executes every time when windows starts
The Trojan attempts to communication with a remote IRC server using the following commands
NICK
JOIN
PASS
USER
PART
QUIT
PING
PONG
JOIN
-----------------------------------------------------
-- Update July20, 2011 --
File Information
- MD5 - F514DFA4D9068C66D9A87A58872E5D52
- SHA1 - 019AFEA6F16A7C29290B1D9CDC34073D9673387A
Aliases
- Kaspersky - Trojan.Win32.VBKrypt.ein
- Ikarus - Gen.Trojan.Heur
- Microsoft - VirTool:Win32/VBInject.gen!FA
- NOD32 - a variant of Win32/Injector.CXC
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.
- %Temp%\cetrnaest.exe
Also It drops the following files.
- [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
- ;yuygrwdqeevpmxehwpbnhyellapfvytngbirxntpzcrxpcedhdwapbbliyhjlkvfdfromensgjwaohfmcwwfpdlnjucgvgwlmbs
;gpetnanrxiynzctjaouomwrzjkhdohkrptpexhiptpulakrgqltxloevwfoincbsaacbsxiyqhfmdfhjroznydghyyuhohjxi
;rmwwcgeipeljnlozprzumjprpmbynxuadbwickeaxfwqakzbgpuykcyphveydriiceepdxlixqzdqxyijdpopfhupotmifbyb
;ffzbgakklpjlljziahmddcskvlsxgcskmnmjsfrhhuvrhvexpyuvqfwqusxfqzfmcvlgaiphrcwvcnmdgkhniqtxtpepumilb
;ziqtklugyxizafknsmhxfiowgnnghjgfhdszjjqnvxquufdezzntzvfxbcwcoyysdruhacrmehypheshhpzghwjxbabtqpjy - [autorun]
- open= [USERNAME]-35FC12\[USERNAME]-35FC12\[USERNAME]-35FC12v26.exe
- action=Open folder to view files
- shell\open=Explore
- shell\open\command=[USERNAME]-35FC12\[USERNAME]-35FC12\ [USERNAME]-35FC12v26.exe;
- shell\open\default=1
- UseAutoPlay=1;
- ktapcrdcyglubtiaczaxybrrmwxhgyrneatbmrtozfqiuhdosqernpankqvkgeiokprwyvifllzlwwekdcqvmkcysqkmponhrixqufvhrnns
cvtkzblwglkjtbiofxmbbkpyqtasmordnaulzovgoztnzgsvxoswcfzenhxtiyycewvlhjbedtwyomtnuqmgovzwpcitnucpbohxqpjqopjmrovc
egmnwyfxrxwjmsrkhejbybrlzkarpqkigrgiwxyxhulroebbmwbmxfoaaigkiuqhshoizudejisuvpkjazbkeuzidvociqdxcikazyupegkzagoofkxml
jpcygsjpodzdhdmbobborqqnukwzysxqlvdzrwgmgvlhtpzqsq
The following registry Values has been added to the system.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
- [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"
Also It connects to the following sites.
- dghf[removed].com
- zer[removed].com
- tu[removed]nen.cc
[Note: C:\Documents and Settings\Administrator\Local Settings\Temp is %Temp%]
----------------------------------
-----Update July 12, 2011----
File Information
- MD5 - 37F5A3B98D9FE37A66E3EF81098F5D5A
- SHA1 - C6227C4C52DB348244CE955623C894F9B763D107
Aliases
- NOD32 - a variant of Win32/Injector.AER
- Ikarus - Trojan.Win32.KillAV
- Microsoft - Worm:Win32/Pushbot
- Kaspersky - Worm.Win32.AutoRun.gwu
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969.
- %SystemDrive%\WINDOWS\dllmgr.exe
Also It drops the following files.
- %SystemDrive%\OGa\RD\DesKTop.ini
- %SystemDrive%\OGa\RD\GOx.exe
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
- [autorun]
- open=OGa\RD\GOx.exe
- ;ԝ
- ;Fuck U Motha Fucka I Could have been ur Dad but the man who fucked ur mom had more change than me.
- action=Open folder to view files
- shell\open=Open
- shell\open\command=OGa\RD\GOx.exe
- shell\open\default=1
The following registry Keys has been added to the system.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}
The following registry Values has been added to the system.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}]
StubPath = "%SystemDrive%\OGa\RD\GOx.exe"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Dll Management Service = "dllmgr.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
The following folders has been added to the system.
- %SystemDrive%\OGa
- %SystemDrive%\OGa\RD
[Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
-----------------
-----Update February 11, 2011----
File Information
- MD5 - 45db5de0b59c542d26990736b6001c45
- SHA1 - 0ec2ec69845ad352f8a5e0e22e42e96cc6ead227
Aliases
- F-Secure - Trojan.Generic.KDV.139932
- Ikarus - Trojan-Dropper
- Microsoft - Trojan:Win32/Ircbrute
- NOD32 - Win32/AutoRun.IRCBot.FL
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location
- %Temp%\trinaest.exe
And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.
- [Removable Drive]:\autorun.inf
- [Removable Drive]:\ [USERNAME]VMXPPv22\[USERNAME]VMXPPv22.exe
The Trojan establishes an IRC connection with the IP address "173.234.[removed]" through remote Port 8888.
The following registry values have been added to the system
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v3.6 = "%Temp%\trinaest.exe" - [HKEY_CURRENT_USER\-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v3.6 = "%Temp%\trinaest.exe"
The above two registry entries confirms that, the Trojan executes every time when windows starts
The Trojan attempts to communication with a remote IRC server using the following commands
- NICK
- JOIN
- PASS "#test123
- USER admin
- PART
- QUIT
- PING
- PONG
- PRIVMSG
The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the trojan file via the following command syntax.
- open=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe
- icon=%SystemRoot%\system32\SHELL32.dll,4
- action=Open folder to view files
- shell\open=Open
- shell\open\command=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe;
- shell\open\default=1;
- [autorun]
[Note: C:\Documents and Settings\[USERNAME]\Local Settings\Temp]
------
-----------Update February 11, 2011--
A new variant discovered has the additional capabilties:
- Proxy awareness - via contact to one of the following sites:
http://www.belgarion.com/images/azenv.php
http://proxywoorld.ovh.org/azenv.php
http://proxyworld.ifrance.com/azenv.php
- Detection and termination of stand-alone security and monitoring tools
- Spread via USB , with autorun capabilities
--Update April 6, 2009--
A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.
Characterisitcs unique to this variant include:
W32/IRCbot.gen.a copies itself to the following folder:
- %Windir%\netmon.exe
(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)
W32/IRCbot.gen.a also drops the following file:
- %WinDir%\drivers\sysdrv32.sys
It will attempt communication with a remote IRC server using the following credentials:
- PASS h4xg4ng
- NICK [00-USA-XP-9215671]
- USER SP2-ojd, followed by the name of the infected computer.
Attempts to connect to the following domains:
- hxxp://98.1[removed]
- hxxp://74.2[removed]
---Update on October 03,2008--
Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:
- %WinDir%\system32\vista.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It hooks the system startup by adding the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"
It attempts to connect with the remote IRC server:
- glbnt.opendns.be
--------------------------------------
W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.
Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory.
Some of the additional files it has been observed to drop into the %SYSTEM%\drivers directory are:
- nwlnkpw.sys
- nwlnkus.sys
- nwlnkad.sys
- nwlnked.sys
- nwlnkcm.sys
- nwlnkra.sys
- nwlnkcr.sys
During testing the following registry entries were added:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareServer = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareWks: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxUserPort = 0x0000FFFE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpTimedWaitDelay = 0x0000001E
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareServer = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareWks = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxUserPort = 0x0000FFFE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpTimedWaitDelay = 0x0000001E
During the time of testing, the following registry entries were modified
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
- restrictanonymous: 0x00000000 was modified to
- restrictanonymous: 0x00000002
http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx provides information regarding the significance of the restrictanonymous value
Symptoms
Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.
--Update February 11, 2011--
Presence of the file logfile32.txt on C:\windows folder.
Connections to the following C2C on port 81:
java.KUTLUFAMILY.COM
java.BALDMANPOWER.NET
java.BALDMANPOWER.ORG
java.BALDMANPOWER.COM
Method of Infection
Either manual execution or by exploiting network sevice vulnerabilities
The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants
N/A
All Information
Overview -
-- Update April 06, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Microsoft-Old-Worm-Copies-Conficker-For-New-Twist-263527/?kc=rss
--
W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another.
Characteristics
Characteristics -
-- Update Sept22, 2011 --
File Information
- MD5 -ad1d82cb647d82e30512a8551788420a
- MD5 -9a3369c83f417fc72820026e4d2cd3fd
Aliases
- Microsoft Trojan:Win32/Ircbrute
- DrWeb BackDoor.IRC.Bot.416
- Ikarus Net-Worm.Win32.Kolab
- ETrust-Vet Win32/IRCBot.JJG
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.
- %SystemDrive%\WINDOWS\System.exe
The following files are dropped in:
- [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\Desktop.ini
- [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
autorun]
[autorun[
[autorun]
open=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAuTOPLAY=1
shell\\open\\command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
shell\\Explore\\Command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
The following registry keys has been added to the system.:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
%SystemDrive%\WINDOWS\System.exe
The following registry values have been added to the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
%SystemDrive%\WINDOWS\System.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysdiag64.exe"
%SystemDrive%\WINDOWS\System.exe
The above two registry entries confirms that, the Trojan executes every time when windows starts
The Trojan attempts to communication with a remote IRC server using the following commands
NICK
JOIN
PASS
USER
PART
QUIT
PING
PONG
JOIN
-----------------------------------------------------
-- Update July20, 2011 --
File Information
- MD5 - F514DFA4D9068C66D9A87A58872E5D52
- SHA1 - 019AFEA6F16A7C29290B1D9CDC34073D9673387A
Aliases
- Kaspersky - Trojan.Win32.VBKrypt.ein
- Ikarus - Gen.Trojan.Heur
- Microsoft - VirTool:Win32/VBInject.gen!FA
- NOD32 - a variant of Win32/Injector.CXC
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.
- %Temp%\cetrnaest.exe
Also It drops the following files.
- [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
- ;yuygrwdqeevpmxehwpbnhyellapfvytngbirxntpzcrxpcedhdwapbbliyhjlkvfdfromensgjwaohfmcwwfpdlnjucgvgwlmbs
;gpetnanrxiynzctjaouomwrzjkhdohkrptpexhiptpulakrgqltxloevwfoincbsaacbsxiyqhfmdfhjroznydghyyuhohjxi
;rmwwcgeipeljnlozprzumjprpmbynxuadbwickeaxfwqakzbgpuykcyphveydriiceepdxlixqzdqxyijdpopfhupotmifbyb
;ffzbgakklpjlljziahmddcskvlsxgcskmnmjsfrhhuvrhvexpyuvqfwqusxfqzfmcvlgaiphrcwvcnmdgkhniqtxtpepumilb
;ziqtklugyxizafknsmhxfiowgnnghjgfhdszjjqnvxquufdezzntzvfxbcwcoyysdruhacrmehypheshhpzghwjxbabtqpjy - [autorun]
- open= [USERNAME]-35FC12\[USERNAME]-35FC12\[USERNAME]-35FC12v26.exe
- action=Open folder to view files
- shell\open=Explore
- shell\open\command=[USERNAME]-35FC12\[USERNAME]-35FC12\ [USERNAME]-35FC12v26.exe;
- shell\open\default=1
- UseAutoPlay=1;
- ktapcrdcyglubtiaczaxybrrmwxhgyrneatbmrtozfqiuhdosqernpankqvkgeiokprwyvifllzlwwekdcqvmkcysqkmponhrixqufvhrnns
cvtkzblwglkjtbiofxmbbkpyqtasmordnaulzovgoztnzgsvxoswcfzenhxtiyycewvlhjbedtwyomtnuqmgovzwpcitnucpbohxqpjqopjmrovc
egmnwyfxrxwjmsrkhejbybrlzkarpqkigrgiwxyxhulroebbmwbmxfoaaigkiuqhshoizudejisuvpkjazbkeuzidvociqdxcikazyupegkzagoofkxml
jpcygsjpodzdhdmbobborqqnukwzysxqlvdzrwgmgvlhtpzqsq
The following registry Values has been added to the system.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
- [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"
Also It connects to the following sites.
- dghf[removed].com
- zer[removed].com
- tu[removed]nen.cc
[Note: C:\Documents and Settings\Administrator\Local Settings\Temp is %Temp%]
----------------------------------
-----Update July 12, 2011----
File Information
- MD5 - 37F5A3B98D9FE37A66E3EF81098F5D5A
- SHA1 - C6227C4C52DB348244CE955623C894F9B763D107
Aliases
- NOD32 - a variant of Win32/Injector.AER
- Ikarus - Trojan.Win32.KillAV
- Microsoft - Worm:Win32/Pushbot
- Kaspersky - Worm.Win32.AutoRun.gwu
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969.
- %SystemDrive%\WINDOWS\dllmgr.exe
Also It drops the following files.
- %SystemDrive%\OGa\RD\DesKTop.ini
- %SystemDrive%\OGa\RD\GOx.exe
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
- [autorun]
- open=OGa\RD\GOx.exe
- ;ԝ
- ;Fuck U Motha Fucka I Could have been ur Dad but the man who fucked ur mom had more change than me.
- action=Open folder to view files
- shell\open=Open
- shell\open\command=OGa\RD\GOx.exe
- shell\open\default=1
The following registry Keys has been added to the system.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}
The following registry Values has been added to the system.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}]
StubPath = "%SystemDrive%\OGa\RD\GOx.exe"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Dll Management Service = "dllmgr.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
The following folders has been added to the system.
- %SystemDrive%\OGa
- %SystemDrive%\OGa\RD
[Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
-----------------
-----Update February 11, 2011----
File Information
- MD5 - 45db5de0b59c542d26990736b6001c45
- SHA1 - 0ec2ec69845ad352f8a5e0e22e42e96cc6ead227
Aliases
- F-Secure - Trojan.Generic.KDV.139932
- Ikarus - Trojan-Dropper
- Microsoft - Trojan:Win32/Ircbrute
- NOD32 - Win32/AutoRun.IRCBot.FL
"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location
- %Temp%\trinaest.exe
And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.
- [Removable Drive]:\autorun.inf
- [Removable Drive]:\ [USERNAME]VMXPPv22\[USERNAME]VMXPPv22.exe
The Trojan establishes an IRC connection with the IP address "173.234.[removed]" through remote Port 8888.
The following registry values have been added to the system
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v3.6 = "%Temp%\trinaest.exe" - [HKEY_CURRENT_USER\-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
Driver Control Manager v3.6 = "%Temp%\trinaest.exe"
The above two registry entries confirms that, the Trojan executes every time when windows starts
The Trojan attempts to communication with a remote IRC server using the following commands
- NICK
- JOIN
- PASS "#test123
- USER admin
- PART
- QUIT
- PING
- PONG
- PRIVMSG
The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the trojan file via the following command syntax.
- open=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe
- icon=%SystemRoot%\system32\SHELL32.dll,4
- action=Open folder to view files
- shell\open=Open
- shell\open\command=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe;
- shell\open\default=1;
- [autorun]
[Note: C:\Documents and Settings\[USERNAME]\Local Settings\Temp]
------
-----------Update February 11, 2011--
A new variant discovered has the additional capabilties:
- Proxy awareness - via contact to one of the following sites:
http://www.belgarion.com/images/azenv.php
http://proxywoorld.ovh.org/azenv.php
http://proxyworld.ifrance.com/azenv.php
- Detection and termination of stand-alone security and monitoring tools
- Spread via USB , with autorun capabilities
--Update April 6, 2009--
A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.
Characterisitcs unique to this variant include:
W32/IRCbot.gen.a copies itself to the following folder:
- %Windir%\netmon.exe
(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)
W32/IRCbot.gen.a also drops the following file:
- %WinDir%\drivers\sysdrv32.sys
It will attempt communication with a remote IRC server using the following credentials:
- PASS h4xg4ng
- NICK [00-USA-XP-9215671]
- USER SP2-ojd, followed by the name of the infected computer.
Attempts to connect to the following domains:
- hxxp://98.1[removed]
- hxxp://74.2[removed]
---Update on October 03,2008--
Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:
- %WinDir%\system32\vista.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It hooks the system startup by adding the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"
It attempts to connect with the remote IRC server:
- glbnt.opendns.be
--------------------------------------
W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.
This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.
Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory.
Some of the additional files it has been observed to drop into the %SYSTEM%\drivers directory are:
- nwlnkpw.sys
- nwlnkus.sys
- nwlnkad.sys
- nwlnked.sys
- nwlnkcm.sys
- nwlnkra.sys
- nwlnkcr.sys
During testing the following registry entries were added:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareServer = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareWks: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxUserPort = 0x0000FFFE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpTimedWaitDelay = 0x0000001E
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareServer = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareWks = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxUserPort = 0x0000FFFE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpTimedWaitDelay = 0x0000001E
During the time of testing, the following registry entries were modified
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
- restrictanonymous: 0x00000000 was modified to
- restrictanonymous: 0x00000002
http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx provides information regarding the significance of the restrictanonymous value
Symptoms
Symptoms -
Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.
--Update February 11, 2011--
Presence of the file logfile32.txt on C:\windows folder.
Connections to the following C2C on port 81:
java.KUTLUFAMILY.COM
java.BALDMANPOWER.NET
java.BALDMANPOWER.ORG
java.BALDMANPOWER.COM
Method of Infection
Method of Infection -
Either manual execution or by exploiting network sevice vulnerabilities
The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Removal -
Removal -
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants -
N/A