WARNING!!! IRC Possible Virus Carrier
Posted: Thu Sep 11, 2003 2:58 pm
Found this on my PC today, bastid to get rid of, only IRC i use is meginjarder, so just a heads up to look out for it!
Virus type: Worm
Destructive: No
Aliases: W32.Spybot.Worm, Worm.P2P.SpyBot.gen, Win32.HLLW.SpyBot, Worm.SpyBot.BH
Pattern file needed: 629
Scan engine needed: 6.150
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: High
Distribution Potential: Medium
--------------------------------------------------------------------------------
Description:
This memory-resident worm propagates via network shares and has several backdoor capabilities.
It connects to an Internet Relay Chat (IRC) server where it receives the following commands from a remote user to process on compromised machine:
Steal Windows cached passwords
Remotely activate a key logger
Act as HTTP Web page server
Open and close CD-ROM tray
Scan ports
Download file(s)
Perform Denial of Service (DOS) attack against other systems
List and terminate running processes
List system information
Browse files on the compromised system
Execute a file remotely
It allows malicious user to install copies of itself in several startup folders using the following file names:
BRITNEY_SPEARS_GAME.EXE
FILE.EXE
EXPLORER.EXE
To make the cleanup difficult, it terminates the following processes:
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP systems.
Virus type: Worm
Destructive: No
Aliases: W32.Spybot.Worm, Worm.P2P.SpyBot.gen, Win32.HLLW.SpyBot, Worm.SpyBot.BH
Pattern file needed: 629
Scan engine needed: 6.150
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: High
Distribution Potential: Medium
--------------------------------------------------------------------------------
Description:
This memory-resident worm propagates via network shares and has several backdoor capabilities.
It connects to an Internet Relay Chat (IRC) server where it receives the following commands from a remote user to process on compromised machine:
Steal Windows cached passwords
Remotely activate a key logger
Act as HTTP Web page server
Open and close CD-ROM tray
Scan ports
Download file(s)
Perform Denial of Service (DOS) attack against other systems
List and terminate running processes
List system information
Browse files on the compromised system
Execute a file remotely
It allows malicious user to install copies of itself in several startup folders using the following file names:
BRITNEY_SPEARS_GAME.EXE
FILE.EXE
EXPLORER.EXE
To make the cleanup difficult, it terminates the following processes:
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP systems.