IRC-Worm.Randon.I( N/A )
SYMPTOMS: [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer= \"c:\\windows\\system\\expl32.exe\"]. aim.txt AImIRC.ini bla.txt bnc.dll config.hfg crazy.exe cscan.dat dtkode.txt empavms.exe EXPL32.EXE impvms.dll innocent ipservers.txt lan.bat Libparse.exe miconfig.exe moo.dll msccl.dll newuser.bat nhtml.dll nicks.txt nvdrv.ocx psexec.exe ratsou.exe reg.xpl remote.ini restart.exe script1.dll spig.txt sysboot.dll syste32.dll system.exe temp unicod_look unicod_ready werty.bat wincmd34.bat wind.dll WININET.DLL Newer version of the worm will have these instead: [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsass=\"%SYSTEM%\\lsass.exe\"] where %SYSTEM% points to Windows\\System folder. aim.dll aim.txt boot.exe c.dll dr.exe empavms.exe flood.ocx gt.exe ipservers.dll java.dll lan.bat Libparse.exe lsass.exe miconfig.exe moo.dll msccl.dll msconig.exe newuser.bat nhtml.dll ratsou.exe regedit.dll remote.ini restart.exe screen.dll sipg.ocx start.ocx sysboot.dll sysconfig.ocx syste32.dll temp unicod_look unicod_ready users.dll werty.bat wincmd34.bat wind.dll zhid.exe TECHNICAL DESCRIPTION: This worm spreads through IRC and is in fact a collection of backdoors, trojans, ddos programs and exploits, all packed in one executable file. The worm arrives as an exe file, through Mirc. Once this file is executed, the aforementioned registry key and files are created, and EXPL32.EXE (or LSASS.EXE for newer version) is run, thus giving the attacker complete control over the infected computer. It can download and install newer versions of itself from an internet address, files GT.EXE or GT2.EXE using its downloader component.Removal instructions:
ANALYZED BY: Patrick VicolBitDefender Virus Researcher |