|
| Home > Security Response > Virus Information |
|
| |
 |
|
| System Risk |
Network Risk |
Spread Risk |
Current Spread Level |
| High |
N/A |
High |
Medium
|
|
|
|
| Aliases |
|
| Primary Symptoms |
System, Security threat, |
|
|
| Infected OS |
Windows |
Infected Route |
File Execution, Security Vulnerability, Other Malicious code |
| Kind |
Worm, Backdoor |
Infected Type |
Executable File |
| Origin |
Unknown |
Specific Working Date |
N/A
|
| Date Discovered |
2007-03-13 (local time) |
Date Discovered in Korea |
2007-03-13 |
| AhnLab's Countermeasure |
You can scan this virus with Engine version 2007.03.13.02
You can cure this virus with Engine version 2007.03.13.02
|
|
 |
|
|
Summary
Win32/IRCBot.worm.61673 is one of the variants of Win32/IRCBot.worm. The worm spreads by exploiting known Windows vulnerabilities and a weak user account password. When executed, it creates lpns.exe (61,673 bytes) in the Windows system folder. The worm adds a Windows registry entry to run itself automatically whenever Windows starts. Also it connects the system to a particular IRC server channel and takes malicious actions commanded by the Oper.
Content
* Method of Infection
|
[OS Vulnerability]
The worm spreads by exploiting Windows security vulnerabilities just like other variants of Win32/IRCBot.worm.
MS03-039 RPC DCOM2
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
|
* Symptoms after Execution
|
[Creating Files]
It creates following file(s) in the Windows system folder.
- lpns.exe (61,673 bytes)
Note) Depending on the MS Windows version, Windows system folder's location may differ. Generally, the location is C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.
[Adding a Windows Registry Entry]
It adds the following value on Windows registry to be executed whenever Windows starts.
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
Dm Hr = lpns.exe
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
RunServices]
Dm Hr = lpns.exe
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Run
Dm Hr = lpns.exe
[Creating Mutex]
It creates the following mutex to prevent itself from starting multiple instances.
- k3y
|
* Working as a Malicious IRC Bot
|
It tries to connect the system to a particular IRC server channel. When the try is successful, it can take malicious actions commanded by the Oper.
Following is the actions that can be performed by the infected system. However, these malicious activities can't be carried out when IRC server operator closes the particular channel.
- Executing and deleting files
- Uploading and downloading files
- Leaking the system and network information
[IRC Server List]
*8*.1*8.50.1*8:3**1
Note) Addresses are partially omitted with *s.
|
|
|
 |
|
