Win32/AutoRun.IRCBot.FC

Aliases:	Net-Worm.Win32.Mytob.gvm (Kaspersky), W32.IRCBot.Gen (Symantec), Trojan:Win32/Qhost.gen!D (Microsoft)
Type of infiltration:	Worm
Size:	81920 B
Affected platforms:	Microsoft Windows
Signature database version:	5183 (20100608)

Short description

Win32/AutoRun.IRCBot.FC is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

%windir%\winnt.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\
Run]
"Windows Policy Management" = "winnt.exe"

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List]
"%malwarepath%" = "%malwarepath%:*:Enabled:Windows Policy
Management"

The performed data entry creates an exception in the Windows Firewall program.

The worm quits immediately if it detects a running process containing one of the following strings in its name:

Wireshark
tcpview
filemon
procmon

The worm quits immediately if the Windows user name is one of the following:

sandbox
honey
vmware
currentuser

The worm quits immediately if it is run within a debugger.

Spreading

Worm inserts a copy of itself into the RAR archive files.

The file name is randomly generated.

Spreading via IM networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via IM networks.

If MSN Live Messenger, Yahoo! Messenger, AIM is installed on the infected system the worm sends a message containing an URL to all contacts.

If the link is clicked a copy of the worm is downloaded.

Spreading on removable media

The worm creates the following folders:

%drive%\driver\usb

The following files are dropped into the %drive%\driver\usb folder:

%variable% (81920 B)
desktop.ini

The worm creates the following file:

%drive%\autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

A string with variable content is used instead of %variable%.

Spreading via P2P networks

Win32/AutoRun.IRCBot.FC is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:

Bearshare
eDonkey2000
eMule
Grokster
ICQ
Kazaa

It tries to place a copy of itself into the folders.

The following filenames are used:

Autoloader.exe
DDOSPING.exe
Ebooks.exe
FREEPORN.exe
fuckshitcunt.scr
headjobs.scr

Other information

The worm acquires data and commands from a remote computer or the Internet. The IRC protocol is used.

The worm connects to the following addresses:

alpha20.ishell.net

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
update itself to a newer version
retrieve information from protected storage and send it to
the remote computer
collect information about the operating system used
send gathered information

The following file is modified:

%system%\drivers\etc\hosts

The worm writes the following entries to the file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com

This way the worm blocks access to specific websites.

The worm may execute the following commands:

netsh firewall add allowedprogram 1.exe 1 ENABLE