WORM_IRCBOT
Dorkbot, Hamweq, Kolab, Rimecud, Graftor, Tofsee, Ruskill, Ngrbot
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands from a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT also used instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger.
This malware family has been around since 2005.
In 2010, an IRCBOT botnet dubbed as the “Chuck Norris” botnet emerged in the threat landscape. It targets vulnerable routers and DSL modems to propagate a worm, detected as WORM_IRCBOT.ABJ. Later that year, newer variants have used Facebook and Myspace to spread to other systems.
TECHNICAL DETAILS
Installation
This worm drops the following copies of itself into the affected system:
- %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
- %User Profile%\Application Data\Ciwuww.exe
- %User Profile%\Application Data\Fhwuwz.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following files:
- %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Ciwuww = "%User Profile%\Application Data\Ciwuww.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fhwuwz = "%User Profile%\Application Data\Fhwuwz.exe"
Other Details
This worm connects to the following possibly malicious URL:
- av.{BLOCKED}c.cz
- av.{BLOCKED}en.cc
- bt1.{BLOCKED}a.com
- bt1.{BLOCKED}um.com
- bt1.{BLOCKED}y.com
- dl.{BLOCKED}k.com
- fanta.{BLOCKED}er.com
- haso.{BLOCKED}g.com
- http://{BLOCKEDe.com/dl/143405707/43967b3/1c1.com
- http://{BLOCKED}e.com/dl/147117570/df10b90/125.gif.exe
- http://{BLOCKED}e.com/dl/148475728/eb6b618/x1010.exe
- http://img103.{BLOCKED}h.com/2012/02/26/671531634.gif
- http://img105.{BLOCKED}h.com/2012/02/26/306561211.gif
- http://s530.{BLOCKED}le.com/get/{random}/{random}/2/8bf8cc5ef4a9bd85/8d98f50/x1010.exe
- http://s679.{BLOCKED}le.com/get/{random}/{random}/2/c5cf22b016e0ae9a/8d98f09/botupx.exe
- http://{BLOCKED}le.com/dl/139880406/883ef46/botxxxx1-2.exe
- http://{BLOCKED}le.com/dl/148475657/93df7e1/botupx.exe
- magazin.{BLOCKED}bila.com
- matea.{BLOCKED}g.com
- ng.{BLOCKED}llone.com
- ng.{BLOCKED}oan.com
- ng.{BLOCKED}opperz11.com
- ng.{BLOCKED}ousez11.com
- ng.{BLOCKED}tbaby.com
- ngrbck2.{BLOCKED}oup.co.za
- niggers.{BLOCKED}s.ru
- tamara.{BLOCKED}le-cache.com
- up.{BLOCKED}at.org
- up.{BLOCKED}ek.net
- up.{BLOCKED}idic.net
- up.{BLOCKED}s.in
- up.{BLOCKED}y.in
- xD.{BLOCKED}x.com
- {BLOCKED}01.com
- {BLOCKED}02.com
- {BLOCKED}03.com
- {BLOCKED}pwnme.net
- {BLOCKED}t.ru
- {BLOCKED}ud.com
- {BLOCKED}v.info
- {BLOCKED}v.info
- ngrbck0.{BLOCKED}van.info
- ngrbck1.{BLOCKED}cija-reality.co.cc