Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > I

Threat Encyclopaedia

Print this pageSend

Win32/IRCBot.ANR

Aliases:Trojan.Win32.Agent.cjwr (Kaspersky), Generic.dx!ez (McAfee), Backdoor:Win32/Momibot.gen!B (Microsoft) 
Type of infiltration:Trojan  
Size:51712 B 
Affected platforms:Microsoft Windows 
Signature database version:4144 (20090610) 

You can download the removal tool here:
download

Short description

Win32/IRCBot.ANR is a trojan which modifies the behavior of network routers.

Installation

When executed, the trojan copies itself into the following location:
  • %system%\%variable1%.exe (51712 B)
The trojan registers itself as a system service using the following name:
  • %variable2%
The service Display Name consists of some of the following strings:
  • %variable3%
A string with variable content is used instead of %variable1-3%.

The trojan creates and runs a new thread with its own program code within the following processes:
  • svchost.exe


The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\a2service.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ArcaCheck.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\arcavir.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\a2service.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ArcaCheck.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\arcavir.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ashDisp.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ashEnhcd.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ashServ.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ashUpd.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\aswUpdSv.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\autoruns.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avadmin.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avcenter.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avcls.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avconfig.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avconsol.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avgnt.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avgrssvc.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avguard.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\AvMonitor.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avp.com]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avp.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\AVP32.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avscan.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avz.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avz4.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\avz_se.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\bdagent.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\bdinit.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\caav.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\caavguiscan.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\casecuritycenter.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\CCenter.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ccupdate.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\cfp.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\cfpupdat.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\cmdagent.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\drwadins.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\DRWEB32.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\drwebupw.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\ekrn.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\FAMEH32.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\filemon.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\FPAVServer.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\fpscan.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\FPWin.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\fsav32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\fsgk32st.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\FSMA32.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\GFRing3.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\guardgui.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\guardxservice.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\guardxup.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\HijackThis.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KASMain.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KASTask.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KAV32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KAVDX.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KAVPF.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KAVPFW.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KAVStart.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KPFW32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\KPFW32X.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Navapsvc.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Navapw32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\navigator.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\NAVNT.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\NAVSTUB.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\NAVW32.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\NAVWNT.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\niu.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\nod32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\nod32krn.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Nvcc.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\OllyDBG.EXE]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\outpost.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\preupd.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\procexp.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\pskdr.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\regedit.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\regmon.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\RegTool.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\scan32.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\SfFnUp.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Vba32arkit.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\vba32ldr.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\vsserv.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Zanda.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zapro.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\Zlh.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zonealarm.exe]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zoneband.dll]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    AFD\Parameters]
    "DisableRawSecurity" = 1
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 1
    "UpdatesDisableNotify" = 1
    "AntiVirusDisableNotify" = 1

Other information

Win32/IRCBot.ANR is a trojan which modifies the behavior of network routers.

The trojan contains a list of (6) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %system%\%variable%.exe
  • %temp%\%variable%.exe
A string with variable content is used instead of %variable%.

The trojan creates the following files:
  • %system%\%random%.dat
  • %temp%\.bat
A string with variable content is used instead of %random%.

The trojan launches the following processes:
  • regsvr32.exe /s %temp%\.bat