Summary
Win32/IRCBot.worm.109056.B is one of the variants of Win32/IRCBot.worm. The worm spreads by exploiting known Windows vulnerabilities and a weak user account password. When executed, it creates csrs.exe (109,056 bytes) in the Windows system folder. The worm adds a Windows registry entry to run itself automatically whenever Windows starts. Also it connects the system to a particular IRC server channel and takes malicious actions commanded by the Oper.
Content
* Method of Infection
|
[A Weak User Account Password]
Target OS is Windows NT lineup (Windows NT, 2000, XP). When user login password of the administrative shared folder is weak (easy to guess), the worm executes itself after connecting to the system. Following is the password list used against a vulnerable account :
staff
teacher
owner
student
office
control
compaq
cisco
george
katie
pass1234
passwd
?? ??.
|
* Symptoms after Execution
|
[Creating Files]
It creates following file(s) in the Windows system folder.
- csrs.exe (109,056 bytes)
Note) Depending on the MS Windows version, Windows system folder's location may differ. Generally, the location is C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.
[Adding a Windows Registry Entry]
It adds the following value on Windows registry to be executed whenever Windows starts.
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
Client Server Runtime Process = Windows System Folder\csrs.exe
|
|
