Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.IRCBot.AU is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the worm copies itself into the following location:
  • %windir%\system\lsass.exe (23552 B)
The worm creates the following file:
  • %system%\drivers\sysdrv32.sys (11656 B)
Installs the following system drivers:
  • %system%\drivers\sysdrv32.sys
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ilasss" = "%windir%\system\lsass.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot\Minimal\lsass]
    "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot\Network\lsass]
    "(Default)" = "Service"
The worm deletes the original file.
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
  • Key-Installer.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm is sent data and commands from a remote computer or the Internet.

It communicates with the following server using IRC protocol:
  • 1.sdhjiww.com
The worm can download and execute a file from the Internet.

The worm quits immediately if the user name is one of the following:
  • CurrentUser
  • sandbox
  • vmware
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%windir%\system\lsass.exe" = "%windir%\system\
    lsass.exe:*:Microsoft Enabled"
The performed data entry creates an exception in the Windows Firewall program.

It uses techniques common for rootkits. The worm hides its running process.