Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.IRCBot.FC

Aliases:Net-Worm.Win32.Mytob.gvm (Kaspersky), W32.IRCBot.Gen (Symantec), Trojan:Win32/Qhost.gen!D (Microsoft) 
Type of infiltration:Worm  
Size:81920 B 
Affected platforms:Microsoft Windows 
Signature database version:5183 (20100608) 

Short description

Win32/AutoRun.IRCBot.FC is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:
  • %windir%winnt.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Terminal ServerInstallSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "Windows Policy Management" = "winnt.exe"
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%malwarepath%" = "%malwarepath%:*:Enabled:Windows Policy
    Management"
The performed data entry creates an exception in the Windows Firewall program.

The worm quits immediately if it detects a running process containing one of the following strings in its name:
  • Wireshark
  • tcpview
  • filemon
  • procmon
The worm quits immediately if the Windows user name is one of the following:
  • sandbox
  • honey
  • vmware
  • currentuser
The worm quits immediately if it is run within a debugger.

Spreading

Worm inserts a copy of itself into the RAR archive files.

The file name is randomly generated.

Spreading via IM networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via IM networks.

If MSN Live Messenger, Yahoo! Messenger, AIM is installed on the infected system the worm sends a message containing an URL to all contacts.

If the link is clicked a copy of the worm is downloaded.

Spreading on removable media

The worm creates the following folders:
  • %drive%driverusb
The following files are dropped into the %drive%driverusb folder:
  • %variable% (81920 B)
  • desktop.ini
The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

A string with variable content is used instead of %variable%.

Spreading via P2P networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:
  • Bearshare
  • eDonkey2000
  • eMule
  • Grokster
  • ICQ
  • Kazaa
  • Bearshare
  • eDonkey2000
  • eMule
  • Grokster
  • ICQ
  • Kazaa
  • Kazaa Lite
  • Limewire
  • Morpheus
  • Tesla
  • WinMX
It tries to place a copy of itself into the folders.

The following filenames are used:
  • Autoloader.exe
  • DDOSPING.exe
  • Ebooks.exe
  • FREEPORN.exe,fuckshitcunt.scr
  • headjobs.scr
  • HotmailHacker.exe
  • Autoloader.exe
  • DDOSPING.exe
  • Ebooks.exe
  • FREEPORN.exe,fuckshitcunt.scr
  • headjobs.scr
  • HotmailHacker.exe
  • How-to-make-money.exe
  • ilovetofuck.scr
  • image.scr
  • LimeWireCrack.exe
  • MSNHacks.exe
  • paris-hilton.scr
  • Porno.MPEG.exe
  • porno.scr
  • RapidsharePREMIUM.exe
  • ScreenMelter.exe
  • VistaUltimate-Crack.exe
  • WildHorneyTeens.scr
  • Wireshark.exe
  • YahooCracker.exe

Other information

The worm acquires data and commands from a remote computer or the Internet. The IRC protocol is used.

The worm connects to the following addresses:
  • alpha20.ishell.net
It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • retrieve information from protected storage and send it to
    the remote computer
  • collect information about the operating system used
  • send gathered information
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • retrieve information from protected storage and send it to
    the remote computer
  • collect information about the operating system used
  • send gathered information
  • perform DoS/DDoS attacks
  • set up a proxy server
The following file is modified:
  • %system%driversetchosts
The worm writes the following entries to the file:
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 kaspersky-labs.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 virustotal.com
  • 127.0.0.1 www.virustotal.com
  • 127.0.0.1 virscan.org
  • 127.0.0.1 www.virscan.org
  • 127.0.0.1 scanner.novirusthanks.org
  • 127.0.0.1 www.scanner.novirusthanks.org
  • 127.0.0.1 virusscan.jotti.org
  • 127.0.0.1 www.virusscan.jotti.org
  • 127.0.0.1 threatexpert.com
  • 127.0.0.1 ask.com
This way the worm blocks access to specific websites.

The worm may execute the following commands:
  • netsh firewall add allowedprogram 1.exe 1 ENABLE