This detection is for a multi-component IRC-based worm capable of spreading to poorly secured remote shares. It bears similarities to earlier variants
There are many other multi-component, IRC-based malware packages known. Typically, components from one are used again in other creations. Because of this there is likely to be crossover in the specific detection names used for the various files that comprise the package.
The importance of application-type detections is well-demonstrated by such packages, since legitimate applications are usually used to perform steps vital to the propagation mechanism. By enabling detection of such tools, the propagation/operation of such malware can be disabled.
Exact detection of the virus SFX archive requires the DATs as specified above. However, prior to this, various components of the multi-component package have been detected. Most importantly:
The worm consists of a self-extracting archive. When executed, the following directory is created on the target machine:
Multiple files are extracted to this directory:
- cons32.dll (11,264 bytes)
- dll32.exe (45,056 bytes) detected as W32/Tzet.worm.f
- jnco32.exe (17,920 bytes) - detected as FDoS-Mixtar
- mmsql32.bat (26,397 bytes) - detected as IRC/Flood.bat
. Batch script for connecting to remote shares (password brute forced), and copying and launching worm there.
- mnl32.dll (8,704 bytes)
- mnn32.exe (25,600 bytes) - detected as PrcView application
- msnq32.exe (20,480 bytes) - detected as HideWindow application
- msregld32.exe (17,408 bytes) - detected as FDoS-DRinCL
- mtnm32.dll (179,254 bytes) - trojan IRC script
- pmmc32.exe (38,400 bytes) - detected as RemoteProcessLaunch application
- reg3.ocx (15,133 bytes) - trojan IRC script
- spool.exe (532,480 bytes) - mIRC client, detected as IRC/Flood.bq
- svchostt.exe (19,456 bytes) - 'launcher' for malware package. Detected as W32/Tzet.worm.f
- switch.exe (3,072 bytes)
- wvchost.exe (73,216 bytes) - detected as Tool-WGet application
The following Registry key is added to run the SVCHOSTT.EXE (which launches the worm "package") at system startup:
\Run "msnager32" = C:\WINNT\System32\GroupPolicy\Adm\0x3\4.0\svchostt.exe