WORM_IRCBOT.WAT
Windows 2000, Windows XP, Windows Server 2003

Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to Internet Relay Chat (IRC) servers.
TECHNICAL DETAILS
529,986 bytes
EXE
Yes
31 Aug 2011
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "{malware path and file name}"
Backdoor Routine
This worm connects to any of the following Internet Relay Chat (IRC) servers:
- ircr0x.{BLOCKED}ls.net
- ircr0x.{BLOCKED}h.info
As of this writing, the said sites are inaccessible.
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
- http://api.wipmania.com/