| Aliases: | Trojan.Win32.Buzus.auvf (Kaspersky), Trojan.Dropper (Symantec), Generic.dx (McAfee) |
| Type of infiltration: | Worm |
| Size: | 56971 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4110 (20090528) |
|
Short description
Win32/AutoRun.IRCBot.AK is a worm that spreads via removable media. It can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the worm copies itself into the following location:
- %windir%\system\netmon.exe (56971 B)
The worm creates the following file:
- %system%\drivers\sysdrv32.sys
Installs the following system drivers:
- %system%\drivers\sysdrv32.sys
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"netmon" = "%windir%\system\netmon.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Minimal\netmon]
"(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Network\netmon]
"(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Minimal\netmon]
"(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Network\netmon]
"(Default)" = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
sysdrv32]
"Type" = 1
"Start" = 3
"ErrorControl" = 1
"ImagePath" = "\??\%system%\drivers\sysdrv32.sys"
"DisplayName" = "Play Port I/O Driver"
"Group" = "SST wanport drivers"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
sysdrv32\Enum]
"0" = "Root\LEGACY_SYSDRV32\0000"
"Count" = 1
"NextInstance" = 1
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
- strongkey-rc1.3-build-208.exe (56971 B)
The following file is dropped in the same folder:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm is sent data and commands from a remote computer or the Internet.
It communicates with the following server using IRC protocol:
It can execute the following operations:
- download files from a remote computer and/or Internet
- run executable files
- monitor network traffic
The worm quits immediately if the user name is one of the following:
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List]
"%windir%\system\netmon.exe" = "%windir%\system\
netmon.exe:*:Enabled:netmon"
The performed data entry creates an exception in the Windows Firewall program.
