WORM_IRCBOT.MBA

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %User Temp%\avntsc32.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Avira Antivir = "%User Temp%\avntsc32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Avira Antivir = "%User Temp%\avntsc32.exe"

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open={Malware File Name}.exe
shell\open\command={Malware File Name}.exe
shell\open=Explore
action=Open folder to view files
shell\open\default=1

Other Details

This worm connects to the following possibly malicious URL:

• up.{BLOCKED}ys.in
• up.{BLOCKED}at.org
• up.{BLOCKED}ek.net
• up.{BLOCKED}idic.net
• av.{BLOCKED}nc.cz
• av.{BLOCKED}nen.cc
• up.{BLOCKED}idic.net