Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/IRCBot.ANR is a backdoor which modifies the behavior of network routers.
Installation
When executed, the backdoor copies itself into the following location:
  • %system%\%variable1%.exe (51712 B)
The backdoor registers itself as a system service using the following name:
  • %variable2%
The service Display Name consists of some of the following strings:
  • %variable3%
A string with variable content is used instead of %variable1-3% .

The backdoor creates and runs a new thread with its own program code within the following processes:
  • svchost.exe

The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\a2service.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\ArcaCheck.exe]
    "Debugger" = "ntsd -d"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
  • "FirewallDisableNotify" = 1
  • "UpdatesDisableNotify" = 1
  • "AntiVirusDisableNotify" = 1
Other information
Win32/IRCBot.ANR is a backdoor which modifies the behavior of network routers.

The backdoor contains a list of (6) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %system%\%variable%.exe
  • %temp%\%variable%.exe
A string with variable content is used instead of %variable% .

The backdoor creates the following files:
  • %system%\%random%.dat
  • %temp%\.bat
A string with variable content is used instead of %random% .

The backdoor launches the following processes:
  • regsvr32.exe /s %temp%\.bat