WORM_IRCBOT.PHT

This malware tries to connect to websites. If the connection is succesful, the malware joins the channel #!nn! to send and receive information from its IRC C&C server. The malware can also download additional files and is saved under certain file names. The malware is also capable of sending messages on Facebook, Yahoo! Messenger and Windows Live containing a link pointing to a copy of itself.

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be downloaded unknowingly by a user when visiting malicious website(s).

It modifies registry entries to disable various system services. This action prevents most of the system functions to be used.

It deletes the file(s) associated with the process(es) it terminates. It does the said routine to completely disable programs and applications.

It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be downloaded unknowingly by a user when visiting the following malicious website(s):

• http://{BLOCKED}raimg.com/photo.php?={random numbers}
• http://{BLOCKED}otoon.com/photo.php?={random numbers}

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\nvsvc32.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Nvidia Drive Mon

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe

Other System Modifications

This worm modifies registry entries to disable the following system services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MsMpSvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = %Windows%\nvsvc32.exe:Enabled:NVIDIA driver monitor

Process Termination

This worm terminates the following services if found on the affected system:

• wuauserv
• MsMpSvc

It terminates the following processes if found running in the affected system's memory:

• msseces.exe

It deletes the file(s) associated with the process(es) it terminates. It does the said routine to completely disable programs and applications.

Web Browser Home Page and Search Page Modification

This worm modifies the user's Internet Explorer home page to the following websites:

• http://{BLOCKED}ure.com

Other Details

Based on analysis of the codes, it has the following capabilities:

• It tries to connect to any of the following sites:
  
  • {BLOCKED}.{BLOCKED}.18.99
  • {BLOCKED}oshistory.info
  • {BLOCKED}e.pakibili.com
  • {BLOCKED}o.ic.ac.uk
  • {BLOCKED}e.lacoctelera.net
  • {BLOCKED}emccloskey.org
  • {BLOCKED}s.phoenix-cc.net
  • {BLOCKED}highered.com
  • {BLOCKED}lofaccountancy.com
  • {BLOCKED}ls.lww.com
  • {BLOCKED}s.0730ip.com
  • {BLOCKED}s.archivum.info
  • {BLOCKED}p.lvengine.com
  • {BLOCKED}astpost.org
  • {BLOCKED}rticles.com
  • {BLOCKED}rarticles.info
  • {BLOCKED}n.51.com
  • {BLOCKED}yle.com
  • {BLOCKED}e.info
  • {BLOCKED}r-uni-sw.eesp.ch
  • {BLOCKED}ationale.org
  • {BLOCKED}ed.com
  • {BLOCKED}k.com
  • {BLOCKED}etrafficspy.com
  • www.{BLOCKED}an.com
  • xxx.{BLOCKED}a.pl
• If the connection is succesful, the malware joins the channel #!nn! to send and receive information from its IRC C&C server. The malware could also download additional files and is saved as follows:
  
  • %Windows%\ndl.dl
  • %Windows%\wibrf.jpg
  • %Windows%\wiybr.png
  • %Windows%\ntdl.dl
• If the malware is not able to drop a copy of itself in %Windows% directory. It tries to drop a copy of itself as the following:
  
  • %Public%\nvsvc32.exe
  • %Program Files%\nvsvc32.exe
  
  (Note: %Public% is usually C:\Users\Public in Windows Vista and Windows 7. %Program Files% is the default Program Files folder, usually C:\Program Files.)
• The malware is capable of sending messages in Facebook, Yahoo! Messenger and Windows Live containing a link pointing to a copy of itself:
  
  • Foto :D http://{BLOCKED}otoon.com/photo.php?={random numbers}
• This malware also opens the page http://{BLOCKED}users.myspace.com/Browse/Browse.aspx