Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.AK [Threat Variant Name]

Category worm
Size 56971 B
Detection created May 28, 2009
Detection database version 4110
Aliases Trojan.Win32.Buzus.auvf (Kaspersky)
  Trojan.Dropper (Symantec)
  Generic.dx (McAfee)
Short description

Win32/AutoRun.IRCBot.AK is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­system\­netmon.exe (56971 B)

The worm creates the following file:

  • %system%\­drivers\­sysdrv32.sys

Installs the following system drivers:

  • %system%\­drivers\­sysdrv32.sys

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "netmon" = "%windir%\­system\­netmon.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­netmon]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­netmon]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sysdrv32]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 1
    • "ImagePath" = "\­??\­%system%\­drivers\­sysdrv32.sys"
    • "DisplayName" = "Play Port I/O Driver"
    • "Group" = "SST wanport drivers"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sysdrv32\­Enum]
    • "0" = "Root\­LEGACY_SYSDRV32\­0000"
    • "Count" = 1
    • "NextInstance" = 1
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • strongkey-rc1.3-build-208.exe (56971 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


It communicates with the following server using IRC protocol:

  • sithwarlord.com

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic

The worm quits immediately if the user name is one of the following:

  • CurrentUser
  • sandbox
  • vmware

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­system\­netmon.exe" = "%windir%\­system\­netmon.exe:*:Enabled:netmon"

The performed data entry creates an exception in the Windows Firewall program.

Please enable Javascript to ensure correct displaying of this content and refresh this page.