WORM_IRCBOT.WAT
Windows 2000, Windows XP, Windows Server 2003

Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to Internet Relay Chat (IRC) servers.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "{malware path and file name}"
Backdoor Routine
This worm connects to any of the following Internet Relay Chat (IRC) servers:
- ircr0x.{BLOCKED}ls.net
- ircr0x.{BLOCKED}h.info
As of this writing, the said sites are inaccessible.
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
- http://api.wipmania.com/