Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.IRCBot.AK is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the worm copies itself into the following location:
  • %windir%\system\netmon.exe (56971 B)
The worm creates the following file:
  • %system%\drivers\sysdrv32.sys
Installs the following system drivers:
  • %system%\drivers\sysdrv32.sys
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "netmon" = "%windir%\system\netmon.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot\Minimal\netmon]
    "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot\Network\netmon]
    "(Default)" = "Service"
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
  • strongkey-rc1.3-build-208.exe (56971 B)
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm is sent data and commands from a remote computer or the Internet.

It communicates with the following server using IRC protocol:
  • sithwarlord.com
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
  • monitor network traffic
The worm quits immediately if the user name is one of the following:
  • CurrentUser
  • sandbox
  • vmware
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%windir%\system\netmon.exe" = "%windir%\system\
    netmon.exe:*:Enabled:netmon"
The performed data entry creates an exception in the Windows Firewall program.