WORM_IRCBOT.LZC

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %Application Data%\svchosts.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• XhLyHzKTnU57

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Corp = "%Application Data%\svchosts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Corp = "%Application Data%\svchosts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
Microsoft Corp = "%Application Data%\svchosts.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Removable Drive}:\SYSTEM.EXE

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage}
[aUToRun]
;{garbage}
OpEN=SYSTEM.EXE
;{garbage}
ICoN=%wINdIr%\\\\sYStEM32\\\\\sHeLL32.dLL,4
;{garbage}
aCTIoN=Open folder and view files using Windows Explorer
;{garbage}
sHeLL\\\\\\oPEN=Open
;{garbage}
ShELL\\\\oPEN\\\cOMMaNd=SYSTEM.EXE
;{garbage}
uSEAUTopLaY = 1
;{garbage}
ShElL\\\\\\eXpLorE\\\CoMmAnD=SYSTEM.EXE
;{garbage}

Backdoor Routine

This worm connects to any of the following IRC server(s):

• {BLOCKED}et.in

It joins any of the following IRC channel(s):

• #SKuffLe#

However, as of this writing, the said sites are inaccessible.

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• Initiate MSN Propagation
• Uninstall itself
• Join IRC server
• Download and execute arbitrary files
• Get visited pages from Internet Explorer

Download Routine

This worm saves the files it downloads using the following names:

• C:\a.zip
• %Application Data%\nigga.bat - Downloaded via backdoor command

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Information Theft

This worm gathers the following data:

• Affected machine's visited websites in Internet Explorer

Other Details

This worm uses the following credentials when accessing its IRC server:

• NICK {country}{OS version}{00}{random numbers}
• USER {country}{OS version}{00}{random numbers} "lol" :skuffs

NOTES:

Its dropped copies' file attributes are Hidden, System and Read-only.

Its dropped AUTORUN.INF file is detected as INF_IRCBOT.LZC.

It does not have rootkit capabilities.

It does not exploit any vulnerability.