Trojan.IRC.Zapchast.NAB

SYMPTOMS:

Presence of the following files in C:\Windows\System\ :
- svchost.exe with size 1922 Kbytes
- sup.bat with size 22 bytes
- sup.reg with size 139 bytes
- script.ini with size 8 Kbytes
- nicks.ini with size 25 Kbytes
and some more files.

TECHNICAL DESCRIPTION:

This virus comes as a RAR-SFX. When executed he unpacks in C:\Windows\System some modified mIRC files.
Then he makes sure it will be launched every time the computer starts by modifying the key :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GNP Generic Host Process"
After that he launches: C:\Windows\System\svchost.exe which is the file mirc.exe renamed and infected with Win32.Parite.B.
That mIRC will connect to an Undernet server to channel #unl***** and will act as an ircbot and waits for commands like:
op/deop/kick/ban/voice/nick/msg/run/exit/say/ping from his owner.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Sorin Ciorceri, virus researcher