Content

W32/IRCbot.gen.a

Type
Virus
SubType
Win32
Discovery Date
11/29/2005
Length
varies
Minimum DAT
4639 (11/29/2005)
Updated DAT
6597 (01/22/2012)
Minimum Engine
5.4.00
Description Added
11/29/2005
Description Modified
09/22/2011 8:33 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update Sept22, 2011 --

File Information

  • MD5 -ad1d82cb647d82e30512a8551788420a
  • MD5 -9a3369c83f417fc72820026e4d2cd3fd

Aliases

  • Microsoft    Trojan:Win32/Ircbrute
  • DrWeb       BackDoor.IRC.Bot.416
  • Ikarus         Net-Worm.Win32.Kolab
  • ETrust-Vet  Win32/IRCBot.JJG

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.

  • %SystemDrive%\WINDOWS\System.exe

The following files are dropped in:

  • [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\Desktop.ini
  • [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

autorun]
[autorun[
[autorun]
open=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAuTOPLAY=1
shell\\open\\command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
shell\\Explore\\Command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe


The following registry keys has been added to the system.:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
    %SystemDrive%\WINDOWS\System.exe

The following registry values have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
    %SystemDrive%\WINDOWS\System.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysdiag64.exe"
    %SystemDrive%\WINDOWS\System.exe

The above two registry entries confirms that, the Trojan executes every time when windows starts

The Trojan attempts to communication with a remote IRC server using the following commands

        NICK
        JOIN
        PASS
        USER
        PART
        QUIT
        PING
        PONG
        JOIN

-----------------------------------------------------

-- Update July20, 2011 --

File Information

  • MD5 - F514DFA4D9068C66D9A87A58872E5D52
  • SHA1 - 019AFEA6F16A7C29290B1D9CDC34073D9673387A

Aliases

  • Kaspersky - Trojan.Win32.VBKrypt.ein
  • Ikarus - Gen.Trojan.Heur
  • Microsoft - VirTool:Win32/VBInject.gen!FA
  • NOD32 - a variant of Win32/Injector.CXC

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.

  • %Temp%\cetrnaest.exe

Also It drops the following files.

  •  [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • ;yuygrwdqeevpmxehwpbnhyellapfvytngbirxntpzcrxpcedhdwapbbliyhjlkvfdfromensgjwaohfmcwwfpdlnjucgvgwlmbs
    ;gpetnanrxiynzctjaouomwrzjkhdohkrptpexhiptpulakrgqltxloevwfoincbsaacbsxiyqhfmdfhjroznydghyyuhohjxi
    ;rmwwcgeipeljnlozprzumjprpmbynxuadbwickeaxfwqakzbgpuykcyphveydriiceepdxlixqzdqxyijdpopfhupotmifbyb
    ;ffzbgakklpjlljziahmddcskvlsxgcskmnmjsfrhhuvrhvexpyuvqfwqusxfqzfmcvlgaiphrcwvcnmdgkhniqtxtpepumilb
    ;ziqtklugyxizafknsmhxfiowgnnghjgfhdszjjqnvxquufdezzntzvfxbcwcoyysdruhacrmehypheshhpzghwjxbabtqpjy
  • [autorun]
  • open= [USERNAME]-35FC12\[USERNAME]-35FC12\[USERNAME]-35FC12v26.exe
  • action=Open folder to view files
  • shell\open=Explore
  • shell\open\command=[USERNAME]-35FC12\[USERNAME]-35FC12\ [USERNAME]-35FC12v26.exe;
  • shell\open\default=1
  • UseAutoPlay=1;
  • ktapcrdcyglubtiaczaxybrrmwxhgyrneatbmrtozfqiuhdosqernpankqvkgeiokprwyvifllzlwwekdcqvmkcysqkmponhrixqufvhrnns
    cvtkzblwglkjtbiofxmbbkpyqtasmordnaulzovgoztnzgsvxoswcfzenhxtiyycewvlhjbedtwyomtnuqmgovzwpcitnucpbohxqpjqopjmrovc
    egmnwyfxrxwjmsrkhejbybrlzkarpqkigrgiwxyxhulroebbmwbmxfoaaigkiuqhshoizudejisuvpkjazbkeuzidvociqdxcikazyupegkzagoofkxml
    jpcygsjpodzdhdmbobborqqnukwzysxqlvdzrwgmgvlhtpzqsq

The following registry Values has been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"

Also It connects to the following sites.

  • dghf[removed].com
  • zer[removed].com
  • tu[removed]nen.cc

[Note: C:\Documents and Settings\Administrator\Local Settings\Temp is %Temp%]

----------------------------------

-----Update July 12, 2011----

File Information

  • MD5 - 37F5A3B98D9FE37A66E3EF81098F5D5A
  • SHA1 - C6227C4C52DB348244CE955623C894F9B763D107

Aliases

  • NOD32 - a variant of Win32/Injector.AER
  • Ikarus - Trojan.Win32.KillAV
  • Microsoft - Worm:Win32/Pushbot
  • Kaspersky - Worm.Win32.AutoRun.gwu

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969.

  • %SystemDrive%\WINDOWS\dllmgr.exe

Also It drops the following files.

  • %SystemDrive%\OGa\RD\DesKTop.ini
  • %SystemDrive%\OGa\RD\GOx.exe

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [autorun]
  • open=OGa\RD\GOx.exe
  • ;Fuck U Motha Fucka  I Could have been ur Dad but the man who fucked ur mom had more change than me.
  • action=Open folder to view files
  • shell\open=Open
  • shell\open\command=OGa\RD\GOx.exe
  • shell\open\default=1

The following registry Keys has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}

The following registry Values has been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}]
    StubPath = "%SystemDrive%\OGa\RD\GOx.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Windows Dll Management Service = "dllmgr.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following folders has been added to the system.

  • %SystemDrive%\OGa
  • %SystemDrive%\OGa\RD

[Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------

-----Update February 11, 2011----

File Information

    • MD5 - 45db5de0b59c542d26990736b6001c45
    • SHA1 - 0ec2ec69845ad352f8a5e0e22e42e96cc6ead227

Aliases

    • F-Secure - Trojan.Generic.KDV.139932
    • Ikarus - Trojan-Dropper
    • Microsoft - Trojan:Win32/Ircbrute
    • NOD32 - Win32/AutoRun.IRCBot.FL

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location

    • %Temp%\trinaest.exe

And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

    • [Removable Drive]:\autorun.inf
    • [Removable Drive]:\ [USERNAME]VMXPPv22\[USERNAME]VMXPPv22.exe

The Trojan establishes an IRC connection with the IP address "173.234.[removed]" through remote Port 8888.

The following registry values have been added to the system

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      Driver Control Manager v3.6 = "%Temp%\trinaest.exe"
    • [HKEY_CURRENT_USER\-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
      Driver Control Manager v3.6 = "%Temp%\trinaest.exe"

The above two registry entries confirms that, the Trojan executes every time when windows starts

The Trojan attempts to communication with a remote IRC server using the following commands

    • NICK
    • JOIN
    • PASS "#test123
    • USER admin
    • PART
    • QUIT
    • PING
    • PONG
    • PRIVMSG

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.
      [autorun]
    • open=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe
    • icon=%SystemRoot%\system32\SHELL32.dll,4
    • action=Open folder to view files
    • shell\open=Open
    • shell\open\command=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe;
    • shell\open\default=1;

[Note: C:\Documents and Settings\[USERNAME]\Local Settings\Temp]


------

 

-----------Update February 11, 2011--

A new variant discovered has the additional capabilties:

- Proxy awareness - via contact to one of the following sites:

http://www.belgarion.com/images/azenv.php
http://proxywoorld.ovh.org/azenv.php
http://proxyworld.ifrance.com/azenv.php

- Detection and termination of stand-alone security and monitoring tools

- Spread via USB , with autorun capabilities

--Update April 6, 2009--

A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.

Characterisitcs unique to this variant include:

W32/IRCbot.gen.a copies itself to the following folder:

  • %Windir%\netmon.exe

(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

W32/IRCbot.gen.a also drops the following file:

  • %WinDir%\drivers\sysdrv32.sys

It will attempt communication with a remote IRC server using the following credentials:

  • PASS h4xg4ng
  • NICK [00-USA-XP-9215671]
  • USER SP2-ojd, followed by the name of the infected computer.

Attempts to connect to the following domains:

  • hxxp://98.1[removed]
  • hxxp://74.2[removed]

---Update on October 03,2008--

Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:

  • %WinDir%\system32\vista.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks the system startup by adding the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"

It attempts to connect with the remote IRC server:

  • glbnt.opendns.be

--------------------------------------

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.

Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. 

Some of the additional files it has been observed to drop into the  %SYSTEM%\drivers directory are:

  • nwlnkpw.sys
  • nwlnkus.sys
  • nwlnkad.sys
  • nwlnked.sys
  • nwlnkcm.sys
  • nwlnkra.sys
  • nwlnkcr.sys

During testing the following registry entries were added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareServer =  0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareServer = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareWks = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E

During the time of testing, the following registry entries were modified

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous: 0x00000000 was modified to
    • restrictanonymous: 0x00000002

http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx  provides information regarding the significance of the restrictanonymous value

Symptoms

Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.

--Update February 11, 2011--

Presence of the file logfile32.txt on C:\windows folder.

Connections to the following C2C on port 81:

java.KUTLUFAMILY.COM
java.BALDMANPOWER.NET
java.BALDMANPOWER.ORG
java.BALDMANPOWER.COM

Method of Infection

Either manual execution or by exploiting network sevice vulnerabilities

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

-- Update April 06, 2009 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.eweek.com/c/a/Security/Microsoft-Old-Worm-Copies-Conficker-For-New-Twist-263527/?kc=rss

--

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another.

Characteristics

Characteristics -

-- Update Sept22, 2011 --

File Information

  • MD5 -ad1d82cb647d82e30512a8551788420a
  • MD5 -9a3369c83f417fc72820026e4d2cd3fd

Aliases

  • Microsoft    Trojan:Win32/Ircbrute
  • DrWeb       BackDoor.IRC.Bot.416
  • Ikarus         Net-Worm.Win32.Kolab
  • ETrust-Vet  Win32/IRCBot.JJG

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.

  • %SystemDrive%\WINDOWS\System.exe

The following files are dropped in:

  • [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\Desktop.ini
  • [Removable Drive]:\UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

autorun]
[autorun[
[autorun]
open=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAuTOPLAY=1
shell\\open\\command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe
shell\\Explore\\Command=UxxxSB\DSA6DSA-731DG-E1DWGGHU5-831HD-2H12U3\System.exe


The following registry keys has been added to the system.:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
    %SystemDrive%\WINDOWS\System.exe

The following registry values have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
    %SystemDrive%\WINDOWS\System.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysdiag64.exe"
    %SystemDrive%\WINDOWS\System.exe

The above two registry entries confirms that, the Trojan executes every time when windows starts

The Trojan attempts to communication with a remote IRC server using the following commands

        NICK
        JOIN
        PASS
        USER
        PART
        QUIT
        PING
        PONG
        JOIN

-----------------------------------------------------

-- Update July20, 2011 --

File Information

  • MD5 - F514DFA4D9068C66D9A87A58872E5D52
  • SHA1 - 019AFEA6F16A7C29290B1D9CDC34073D9673387A

Aliases

  • Kaspersky - Trojan.Win32.VBKrypt.ein
  • Ikarus - Gen.Trojan.Heur
  • Microsoft - VirTool:Win32/VBInject.gen!FA
  • NOD32 - a variant of Win32/Injector.CXC

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location.

  • %Temp%\cetrnaest.exe

Also It drops the following files.

  •  [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • ;yuygrwdqeevpmxehwpbnhyellapfvytngbirxntpzcrxpcedhdwapbbliyhjlkvfdfromensgjwaohfmcwwfpdlnjucgvgwlmbs
    ;gpetnanrxiynzctjaouomwrzjkhdohkrptpexhiptpulakrgqltxloevwfoincbsaacbsxiyqhfmdfhjroznydghyyuhohjxi
    ;rmwwcgeipeljnlozprzumjprpmbynxuadbwickeaxfwqakzbgpuykcyphveydriiceepdxlixqzdqxyijdpopfhupotmifbyb
    ;ffzbgakklpjlljziahmddcskvlsxgcskmnmjsfrhhuvrhvexpyuvqfwqusxfqzfmcvlgaiphrcwvcnmdgkhniqtxtpepumilb
    ;ziqtklugyxizafknsmhxfiowgnnghjgfhdszjjqnvxquufdezzntzvfxbcwcoyysdruhacrmehypheshhpzghwjxbabtqpjy
  • [autorun]
  • open= [USERNAME]-35FC12\[USERNAME]-35FC12\[USERNAME]-35FC12v26.exe
  • action=Open folder to view files
  • shell\open=Explore
  • shell\open\command=[USERNAME]-35FC12\[USERNAME]-35FC12\ [USERNAME]-35FC12v26.exe;
  • shell\open\default=1
  • UseAutoPlay=1;
  • ktapcrdcyglubtiaczaxybrrmwxhgyrneatbmrtozfqiuhdosqernpankqvkgeiokprwyvifllzlwwekdcqvmkcysqkmponhrixqufvhrnns
    cvtkzblwglkjtbiofxmbbkpyqtasmordnaulzovgoztnzgsvxoswcfzenhxtiyycewvlhjbedtwyomtnuqmgovzwpcitnucpbohxqpjqopjmrovc
    egmnwyfxrxwjmsrkhejbybrlzkarpqkigrgiwxyxhulroebbmwbmxfoaaigkiuqhshoizudejisuvpkjazbkeuzidvociqdxcikazyupegkzagoofkxml
    jpcygsjpodzdhdmbobborqqnukwzysxqlvdzrwgmgvlhtpzqsq

The following registry Values has been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    Driver Control Manager v4.0 = "%Temp%\cetrnaest.exe"

Also It connects to the following sites.

  • dghf[removed].com
  • zer[removed].com
  • tu[removed]nen.cc

[Note: C:\Documents and Settings\Administrator\Local Settings\Temp is %Temp%]

----------------------------------

-----Update July 12, 2011----

File Information

  • MD5 - 37F5A3B98D9FE37A66E3EF81098F5D5A
  • SHA1 - C6227C4C52DB348244CE955623C894F9B763D107

Aliases

  • NOD32 - a variant of Win32/Injector.AER
  • Ikarus - Trojan.Win32.KillAV
  • Microsoft - Worm:Win32/Pushbot
  • Kaspersky - Worm.Win32.AutoRun.gwu

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969.

  • %SystemDrive%\WINDOWS\dllmgr.exe

Also It drops the following files.

  • %SystemDrive%\OGa\RD\DesKTop.ini
  • %SystemDrive%\OGa\RD\GOx.exe

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [autorun]
  • open=OGa\RD\GOx.exe
  • ;Fuck U Motha Fucka  I Could have been ur Dad but the man who fucked ur mom had more change than me.
  • action=Open folder to view files
  • shell\open=Open
  • shell\open\command=OGa\RD\GOx.exe
  • shell\open\default=1

The following registry Keys has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}

The following registry Values has been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}]
    StubPath = "%SystemDrive%\OGa\RD\GOx.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Windows Dll Management Service = "dllmgr.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following folders has been added to the system.

  • %SystemDrive%\OGa
  • %SystemDrive%\OGa\RD

[Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------

-----Update February 11, 2011----

File Information

    • MD5 - 45db5de0b59c542d26990736b6001c45
    • SHA1 - 0ec2ec69845ad352f8a5e0e22e42e96cc6ead227

Aliases

    • F-Secure - Trojan.Generic.KDV.139932
    • Ikarus - Trojan-Dropper
    • Microsoft - Trojan:Win32/Ircbrute
    • NOD32 - Win32/AutoRun.IRCBot.FL

"W32/IRCbot.gen.a" is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location

    • %Temp%\trinaest.exe

And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

    • [Removable Drive]:\autorun.inf
    • [Removable Drive]:\ [USERNAME]VMXPPv22\[USERNAME]VMXPPv22.exe

The Trojan establishes an IRC connection with the IP address "173.234.[removed]" through remote Port 8888.

The following registry values have been added to the system

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      Driver Control Manager v3.6 = "%Temp%\trinaest.exe"
    • [HKEY_CURRENT_USER\-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
      Driver Control Manager v3.6 = "%Temp%\trinaest.exe"

The above two registry entries confirms that, the Trojan executes every time when windows starts

The Trojan attempts to communication with a remote IRC server using the following commands

    • NICK
    • JOIN
    • PASS "#test123
    • USER admin
    • PART
    • QUIT
    • PING
    • PONG
    • PRIVMSG

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.
      [autorun]
    • open=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe
    • icon=%SystemRoot%\system32\SHELL32.dll,4
    • action=Open folder to view files
    • shell\open=Open
    • shell\open\command=[USERNAME]VMXPP\[USERNAME]VMXPP\[USERNAME]VMXPPv22.exe;
    • shell\open\default=1;

[Note: C:\Documents and Settings\[USERNAME]\Local Settings\Temp]


------

 

-----------Update February 11, 2011--

A new variant discovered has the additional capabilties:

- Proxy awareness - via contact to one of the following sites:

http://www.belgarion.com/images/azenv.php
http://proxywoorld.ovh.org/azenv.php
http://proxyworld.ifrance.com/azenv.php

- Detection and termination of stand-alone security and monitoring tools

- Spread via USB , with autorun capabilities

--Update April 6, 2009--

A variant has been discovered that is attempting to exploit the MS08-067 vulnerability.

Characterisitcs unique to this variant include:

W32/IRCbot.gen.a copies itself to the following folder:

  • %Windir%\netmon.exe

(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

W32/IRCbot.gen.a also drops the following file:

  • %WinDir%\drivers\sysdrv32.sys

It will attempt communication with a remote IRC server using the following credentials:

  • PASS h4xg4ng
  • NICK [00-USA-XP-9215671]
  • USER SP2-ojd, followed by the name of the infected computer.

Attempts to connect to the following domains:

  • hxxp://98.1[removed]
  • hxxp://74.2[removed]

---Update on October 03,2008--

Upon execution, a new variant of W32/IRCbot.gen.a virus copies itself to the following folder:

  • %WinDir%\system32\vista.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks the system startup by adding the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VistaUpgrade: "%WinDir%\System32\vista.exe"

It attempts to connect with the remote IRC server:

  • glbnt.opendns.be

--------------------------------------

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares. This is a network aware worm and has the ability to check whether or not it has internet connectivity. It attempts to join IRC channels and opens back doors to allow remote access to an infected machine.

Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. 

Some of the additional files it has been observed to drop into the  %SYSTEM%\drivers directory are:

  • nwlnkpw.sys
  • nwlnkus.sys
  • nwlnkad.sys
  • nwlnked.sys
  • nwlnkcm.sys
  • nwlnkra.sys
  • nwlnkcr.sys

During testing the following registry entries were added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareServer =  0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareServer = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareWks = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxUserPort = 0x0000FFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = 0x0000001E

During the time of testing, the following registry entries were modified

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous: 0x00000000 was modified to
    • restrictanonymous: 0x00000002

http://technet.microsoft.com/en-us/library/bb418944(TechNet.10).aspx  provides information regarding the significance of the restrictanonymous value

Symptoms

Symptoms -

Presence of the above mentioned files in the %SYSTEM%\driver folder and relevant registry changes may indicate infection.

--Update February 11, 2011--

Presence of the file logfile32.txt on C:\windows folder.

Connections to the following C2C on port 81:

java.KUTLUFAMILY.COM
java.BALDMANPOWER.NET
java.BALDMANPOWER.ORG
java.BALDMANPOWER.COM

Method of Infection

Method of Infection -

Either manual execution or by exploiting network sevice vulnerabilities

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A