Home > General > W32.IRCBot.Gen

W32.IRCBot.Gen

It does this by deleting the following registry keys: HKLM\System\CurrentControlSet\Control\SafeBoot HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal HKLM\System\CurrentControlSet\Control\SafeBoot\Network Injects code In order to hinder detection and removal, Backdoor:Win32/IRCbot.gen!Y injects its code into the "winlogon.exe" process. Upon execution the Trojan tires to connect the below URL though remote port 4042 xsi.hi5f[Removed]os.info 22.21. [Removed].65 229.51. [Removed].87 87.255. [Removed].229 this-domain[Removed]-by.abuse.ch Upon execution the Trojans copy itself to the below Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location. %Temp%\cetrnaest.exe Also It drops the following files. [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini This Trojan also attempts to create an autorun.inf file on the root of An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/IRCbot.gen!AA.

Have your PC fixed remotely - while you watch! $89.95 Free Security Newsletter Sign Up for Security News and Special Offers: Indications of Infection: Risk Assessment: Payload Allows backdoor access and control Backdoor:Win32/IRCbot.gen!AA allows unauthorized access and control of your computer. You can help Wikipedia by expanding it. Aliases – Microsoft - Worm:win32/dorkbot.a ESET-NOD32 - Win32/Injector.AFCG Drweb - BackDoor.IRC.ngrBot.42 AVP - Backdoor.Win32.Ruskill.ruv Characteristics – “W32/IRCbot.gen.a ” is detection for a worm that spreads over USB devices using Autorun functionality. https://www.symantec.com/security_response/writeup.jsp?docid=2002-071518-2036-99

Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. What to do now To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

It is a member of the Backdoor:Win32/IRCbot family of bots.   What to do now To detect and remove this threat and other malicious software that may be installed on your Get Expert Help McAfeeVirus Removal Service Connect to one of our Security Experts by phone. Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

The trojan drops a file into the following path: %Temp%\351.exe The Trojan downloads the following file from digital[removed].cn site. %Temp%\Temporary Internet Files\Content.IE5\KHCN216V\kimber[1].exe These are general defaults for typical path variables. (Although Ensure that all available network shares are scanned with an up-to-date antivirus product. HKey_Users\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Mobile Device Service: "%APPDATA%\J-93219-1923-12901\mobile32.exe" The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon system boot The Trojan creates Mutex in the following name: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=252087 Please see the figure below demonstrating a similar scenario: After infection: The following registry key values have been added to the system HKEY_USERS\S-1-5-21-[Varies]39522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Dbhbuzxlhtqpykvh.exe: ""%UserProfile%\Application Data\Dbhbuzxlhtqpykvh.exe"" The above mentioned registry ensures

Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. voc !! Related encyclopedia entries Backdoor:Win32/IRCbot Analysis by Patrik Vicol Prevention Take these steps to help prevent infection on your computer. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".

On windows XP: Insert the Windows XP CD into the CD-ROM drive and restart the computer.When the "Welcome to Setup" screen appears, press R to start the Recovery Console.Select the Windows check this link right here now All Users: Please use the following instructions for all supported versions of Windows to remove threats and other potential risks: 1.Disable System Restore . 2.Update to current engine and DAT files Note: refers to a variable location that is determined by the malware by querying the operating system. Aliases Microsoft-Worm:Win32/Dorkbot!lnkKaspersky-Trojan.WinLNK.Runner.blIkarus-Worm.Win32.DorkbotFortinet-LNK/AutoRun.HXW!trDrweb-Win32.HLLW.Autoruner.59834

Minimum Engine 5600.1067 File Length Varies Description Added 2011-12-09 Description Modified 2012-09-11 Malware Proliferation W32/IRCBot.gen.bs!lnk is a link file which is dropped by the file 13a0ea84.exe [Detected as

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Installation Depending on the variant, Backdoor:Win32/IRCbot.gen!Y copies itself with file names that resemble legitimate programs and services, possibly in an effort to hinder detection and removal, such as the following: %APPDATA%\ctfmon.exe %TEMP% \ This could include, but is not limited to, the following actions: Download and execute arbitrary files Upload files Spread to other computers using various methods of propagation Log keystrokes or steal When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically. [autorun] open=OGa\RD\GOx.exe ;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘ ;Fuck U Motha Fucka I Could have been

For more information on returning an infected computer to its pre-infected state, please see the following articles: Resetting your computer's security settings to default Stopping and starting Windows services: For Windows 7For Trojans do not self-replicate. Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete. It then hides all folders in the removable drives, in an attempt to trick you into clicking on its copy rather than on the folder in your drive.

Analysis by Vincent Tiu Prevention Take these steps to help prevent infection on your computer. Top Threat behavior Installation Backdoor:Win32/IRCbot.gen!AA uses the file name "%AppData%\winsvrn32.exe". Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location %Temp%\trinaest.exe And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun

Removable drives Backdoor:Win32/IRCbot.gen!Y may create the following copies of itself on targeted removable drives when spreading: :\\recycler\{36436-46377-557332\autorun.exe
  • :\\recycler\{36436-46377-557332\msconfig.exe
  • It also places an

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Spreads via... Spreads via... It is a member of the Backdoor:Win32/IRCbot family of backdoor trojans.

    Back to Top View Virus Characteristics Virus Characteristics “W32/IRCbot!lnk” is a link file which is dropped by the file “hYStyP.exe” [Detected as W32/IRCbot.gen.cr]. Presence of the registry key(s) above mentioned. Itconnects and downloads filesfrom the IP address 84.[removed].44 using 44504 remote port Trojans do not self-replicate. Unlike viruses, trojans do not self-replicate.

    Because of a lack of standard naming conventions and also because of common features, variants of Win32.IRCBot can often be confused with the Agobot and Spybot family of worms. Backdoor:Win32/IRCbot.gen!Z modifies the following registry entry to ensure that its copy runs at each Windows start: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "" With data: "", for example "C:\Windows\ddqps.exe" The trojan uses a Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:

    • Download, upload and run files (including plugins for the bot)
    • In order to lure the user to execute the file, it uses an icon that resembles a Folder Icon.

      They are spread manually, often under the premise that they are beneficial or wanted. In the wild, we have observed the following modifications to the registry: In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "Windows Defender"With data: "%system%\windefend.exe" Sets value: "Windows Defense Service"With data: "%system%\windefend.exe" Sets value: Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969. %SystemDrive%\WINDOWS\dllmgr.exe Also It drops the following files. %SystemDrive%\OGa\RD\DesKTop.ini %SystemDrive%\OGa\RD\GOx.exe This

      The following Microsoft products detect and remove this threat: Microsoft Security Essentials Microsoft Safety Scanner Additional remediation instructions for This threat may make lasting changes to a computer's configuration that Get Expert Help McAfeeVirus Removal Service Connect to one of our Security Experts by phone. Please go to the Microsoft Recovery Console and restore a clean MBR. Unlike viruses, trojans do not self-replicate.

      An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another. Methods of Infection This worm may be spread by its intented method of infected removable drives. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.

      They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.