Virus Profile: W32/Polybot.l!irc

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- The virus hides all files containing the word "sound" on the infected machine.

- Unusual ports that are opened.

- The following registry keys are added on an infected system:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
  \Enum\Root\LEGACY_SOUNDMAN
•  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
  \Services\SoundMan
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
  \Enum\Root\LEGACY_SOUNDMAN
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
  \Services\SoundMan
  

- The virus hooks the following registry keys to run the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run "^`d}qZxu" = ~`d}qzxu3zYF
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\RunServices "^`d}qZxu" = ~`d}qzxu3zYF

- The worm attempts to teminate the following processes:

• HIJACKTHIS.EXE
• _AVPM.EXE
• _AVPCC.EXE
• _AVP32.EXE
• ZONEALARM.EXE
• ZONALM2601.EXE
• ZATUTOR.EXE
• ZAPSETUP3001.EXE
• ZAPRO.EXE
• XPF202EN.EXE
• WYVERNWORKSFIREWALL.EXE
• WUPDT.EXE
• WUPDATER.EXE
• WSBGATE.EXE
• WRCTRL.EXE
• WRADMIN.EXE
• WNT.EXE
• WNAD.EXE
• WKUFIND.EXE
• WINUPDATE.EXE
• WINTSK32.EXE
• WINSTART001.EXE
• WINSTART.EXE
• WINSSK32.EXE
• WINSERVN.EXE
• WINRECON.EXE
• WINPPR32.EXE
• WINNET.EXE
• WINMAIN.EXE
• WINLOGIN.EXE
• WININITX.EXE
• WININIT.EXE
• WININETD.EXE
• WINDOWS.EXE
• WINDOW.EXE
• WINACTIVE.EXE
• WIN32US.EXE
• WIN32.EXE
• WIN-BUGSFIX.EXE
• WIMMUN32.EXE
• WHOSWATCHINGME.EXE
• WGFE95.EXE
• WFINDV32.EXE
• WEBTRAP.EXE
• WEBSCANX.EXE
• WEBDAV.EXE
• WATCHDOG.EXE
• W9X.EXE
• W32DSM89.EXE
• VSWINPERSE.EXE
• VSWINNTSE.EXE
• VSWIN9XE.EXE
• VSSTAT.EXE
• VSMON.EXE
• VSMAIN.EXE
• VSISETUP.EXE
• VSHWIN32.EXE
• VSECOMR.EXE
• VSCHED.EXE
• VSCENU6.02D30.EXE
• VSCAN40.EXE
• VPTRAY.EXE
• VPFW30S.EXE
• VPC42.EXE
• VPC32.EXE
• VNPC3000.EXE
• VNLAN300.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VIR-HELP.EXE
• VFSETUP.EXE
• VETTRAY.EXE
• VET95.EXE
• VET32.EXE
• VCSETUP.EXE
• VBWINNTW.EXE
• VBWIN9X.EXE
• VBUST.EXE
• VBCONS.EXE
• VBCMSERV.EXE
• UTPOST.EXE
• UPGRAD.EXE
• UPDAT.EXE
• UNDOBOOT.EXE
• TVTMD.EXE
• TVMD.EXE
• TSADBOT.EXE
• TROJANTRAP3.EXE
• TRJSETUP.EXE
• TRJSCAN.EXE
• TRICKLER.EXE
• TRACERT.EXE
• TITANINXP.EXE
• TITANIN.EXE
• TGBOB.EXE
• TFAK5.EXE
• TFAK.EXE
• TEEKIDS.EXE
• TDS2-NT.EXE
• TDS2-98.EXE
• TDS-3.EXE
• TCM.EXE
• TCA.EXE
• TC.EXE
• TBSCAN.EXE
• TAUMON.EXE
• TASKMON.EXE
• TASKMO.EXE
• TASKMG.EXE
• SYSUPD.EXE
• SYSTEM32.EXE
• SYSTEM.EXE
• SYSEDIT.EXE
• SYMTRAY.EXE
• SYMPROXYSVC.EXE
• SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
• SWEEP95.EXE
• SVSHOST.EXE
• SVCHOSTS.EXE
• SVCHOSTC.EXE
• SVC.EXE
• SUPPORTER5.EXE
• SUPPORT.EXE
• SUPFTRL.EXE
• STCLOADER.EXE
• START.EXE
• ST2.EXE
• SSG_4104.EXE
• SSGRATE.EXE
• SS3EDIT.EXE
• SRNG.EXE
• SREXE.EXE
• SPYXX.EXE
• SPOOLSV32.EXE
• SPOOLCV.EXE
• SPOLER.EXE
• SPHINX.EXE
• SPF.EXE
• SPERM.EXE
• SOFI.EXE
• SOAP.EXE
• SMSS32.EXE
• SMS.EXE
• SMC.EXE
• SHOWBEHIND.EXE
• SHN.EXE
• UPDATE.EXE
• SHELLSPYINSTALL.EXE
• SH.EXE
• SGSSFW32.EXE
• SFC.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SETUPVAMEEVAL.EXE
• SERVLCES.EXE
• SERVLCE.EXE
• SERVICE.EXE
• SERV95.EXE
• SD.EXE
• SCVHOST.EXE
• SCRSVR.EXE
• SCRSCAN.EXE
• SCANPM.EXE
• SCAN95.EXE
• SCAN32.EXE
• SCAM32.EXE
• SC.EXE
• SBSERV.EXE
• SAVENOW.EXE
• SAVE.EXE
• SAHAGENT.EXE
• SAFEWEB.EXE
• RUXDLL32.EXE
• RUNDLL16.EXE
• RUNDLL.EXE
• RUN32DLL.EXE
• RULAUNCH.EXE
• RTVSCN95.EXE
• RTVSCAN.EXE
• RSHELL.EXE
• RRGUARD.EXE
• RESCUE32.EXE
• RESCUE.EXE
• REGEDT32.EXE
• REGEDIT.EXE
• REGED.EXE
• REALMON.EXE
• RCSYNC.EXE
• RB32.EXE
• RAY.EXE
• RAV8WIN32ENG.EXE
• RAV7WIN.EXE
• RAV7.EXE
• RAPAPP.EXE
• QSERVER.EXE
• QCONSOLE.EXE
• PVIEW95.EXE
• PUSSY.EXE
• PURGE.EXE
• PSPF.EXE
• PROTECTX.EXE
• PROPORT.EXE
• PROGRAMAUDITOR.EXE
• PROCEXPLORERV1.0.EXE
• PROCESSMONITOR.EXE
• PROCDUMP.EXE
• PRMVR.EXE
• PRMT.EXE
• PRIZESURFER.EXE
• PPVSTOP.EXE
• PPTBC.EXE
• PPINUPDT.EXE
• POWERSCAN.EXE
• PORTMONITOR.EXE
• PORTDETECTIVE.EXE
• POPSCAN.EXE
• POPROXY.EXE
• POP3TRAP.EXE
• PLATIN.EXE
• PINGSCAN.EXE
• PGMONITR.EXE
• PFWADMIN.EXE
• PF2.EXE
• PERSWF.EXE
• PERSFW.EXE
• PERISCOPE.EXE
• PENIS.EXE
• PDSETUP.EXE
• PCSCAN.EXE
• PCIP10117_0.EXE
• PCFWALLICON.EXE
• PCDSETUP.EXE
• PCCWIN98.EXE
• PCCWIN97.EXE
• PCCNTMON.EXE
• PCCIOMON.EXE
• PCC2K_76_1436.EXE
• PCC2002S902.EXE
• PAVW.EXE
• PAVSCHED.EXE
• PAVPROXY.EXE
• PAVCL.EXE
• PATCH.EXE
• PANIXK.EXE
• PADMIN.EXE
• OUTPOSTPROINSTALL.EXE
• OUTPOSTINSTALL.EXE
• OTFIX.EXE
• OSTRONET.EXE
• OPTIMIZE.EXE
• ONSRVR.EXE
• OLLYDBG.EXE
• NWTOOL16.EXE
• NWSERVICE.EXE
• NWINST4.EXE
• NVSVC32.EXE
• NVC95.EXE
• NVARCH16.EXE
• NUI.EXE
• NTXconfig.EXE
• NTVDM.EXE
• NTRTSCAN.EXE
• NT.EXE
• NSUPDATE.EXE
• NSTASK32.EXE
• NSSYS32.EXE
• NSCHED32.EXE
• NPSSVC.EXE
• NPSCHECK.EXE
• NPROTECT.EXE
• NPFMESSENGER.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NOTSTART.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NORMIST.EXE
• NOD32.EXE
• NMAIN.EXE
• NISUM.EXE
• NISSERV.EXE
• NETUTILS.EXE
• NETSTAT.EXE
• NETSPYHUNTER-1.2.EXE
• NETSCANPRO.EXE
• NETMON.EXE
• NETINFO.EXE
• NETD32.EXE
• NETARMOR.EXE
• NEOWATCHLOG.EXE
• NEOMONITOR.EXE
• NDD32.EXE
• NCINST4.EXE
• NC2000.EXE
• NAVWNT.EXE
• NAVW32.EXE
• NAVSTUB.EXE
• NAVNT.EXE
• NAVLU32.EXE
• NAVENGNAVEX15.NAVLU32.EXE
• NAVDX.EXE
• NAVAPW32.EXE
• NAVAPSVC.EXE
• NAVAP.NAVAPSVC.EXE
• AUTO-PROTECT.NAV80TRY.EXE
• NAV.EXE
• OUTPOST.EXE
• NUPGRADE.EXE
• N32SCANW.EXE
• MWATCH.EXE
• MU0311AD.EXE
• MSVXD.EXE
• MSSYS.EXE
• MSSMMC32.EXE
• MSMSGRI32.EXE
• MSMGT.EXE
• MSLAUGH.EXE
• MSINFO32.EXE
• MSIEXEC16.EXE
• MSDOS.EXE
• MSDM.EXE
• MSCONFIG.EXE
• MSCMAN.EXE
• MSCCN32.EXE
• MSCACHE.EXE
• MSBLAST.EXE
• MSBB.EXE
• MSAPP.EXE
• MRFLUX.EXE
• MPFTRAY.EXE
• MPFSERVICE.EXE
• MPFAGENT.EXE
• MOSTAT.EXE
• MOOLIVE.EXE
• MONITOR.EXE
• MMOD.EXE
• MINILOG.EXE
• MGUI.EXE
• MGHTML.EXE
• MGAVRTE.EXE
• MGAVRTCL.EXE
• MFWENG3.02D30.EXE
• MFW2EN.EXE
• MFIN32.EXE
• MD.EXE
• MCVSSHLD.EXE
• MCVSRTE.EXE
• MCTOOL.EXE
• MCSHIELD.EXE
• MCMNHDLR.EXE
• MCAGENT.EXE
• MAPISVC32.EXE
• LUSPT.EXE
• LUINIT.EXE
• LUCOMSERVER.EXE
• LUAU.EXE
• LSETUP.EXE
• LORDPE.EXE
• LOOKOUT.EXE
• LOCKDOWN2000.EXE
• LOCKDOWN.EXE
• LOCALNET.EXE
• LOADER.EXE
• LNETINFO.EXE
• LDSCAN.EXE
• LDPROMENU.EXE
• LDPRO.EXE
• LDNETMON.EXE
• LAUNCHER.EXE
• KILLPROCESSSETUP161.EXE
• KERNEL32.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-PF-213-EN-WIN.EXE
• KEENVALUE.EXE
• KAZZA.EXE
• KAVPF.EXE
• KAVPERS40ENG.EXE
• KAVLITE40ENG.EXE
• JEDI.EXE
• JDBGMRG.EXE
• JAMMER.EXE
• ISTSVC.EXE
• MCUPDATE.EXE
• LUALL.EXE
• ISRV95.EXE
• ISASS.EXE
• IRIS.EXE
• IPARMOR.EXE
• IOMON98.EXE
• INTREN.EXE
• INTDEL.EXE
• INIT.EXE
• INFWIN.EXE
• INFUS.EXE
• INETLNFO.EXE
• IFW2000.EXE
• IFACE.EXE
• IEXPLORER.EXE
• IEDRIVER.EXE
• IEDLL.EXE
• IDLE.EXE
• ICSUPPNT.EXE
• ICMON.EXE
• ICLOADNT.EXE
• ICLOAD95.EXE
• IBMAVSP.EXE
• IBMASN.EXE
• IAMSTATS.EXE
• IAMSERV.EXE
• IAMAPP.EXE
• HXIUL.EXE
• HXDL.EXE
• HWPE.EXE
• HTPATCH.EXE
• HTLOG.EXE
• HOTPATCH.EXE
• HOTACTIO.EXE
• HBSRV.EXE
• HBINST.EXE
• HACKTRACERSETUP.EXE
• GUARDDOG.EXE
• GUARD.EXE
• GMT.EXE
• GENERICS.EXE
• GBPOLL.EXE
• GBMENU.EXE
• GATOR.EXE
• FSMB32.EXE
• FSMA32.EXE
• FSM32.EXE
• FSGK32.EXE
• FSAV95.EXE
• FSAV530WTBYB.EXE
• FSAV530STBYB.EXE
• FSAV32.EXE
• FSAV.EXE
• FSAA.EXE
• FRW.EXE
• FPROT.EXE
• FP-WIN_TRIAL.EXE
• FP-WIN.EXE
• FNRB32.EXE
• FLOWPROTECTOR.EXE
• FIREWALL.EXE
• FINDVIRU.EXE
• FIH32.EXE
• FCH32.EXE
• FAST.EXE
• FAMEH32.EXE
• F-STOPW.EXE
• F-PROT95.EXE
• F-PROT.EXE
• F-AGNT95.EXE
• EXPLORE.EXE
• EXPERT.EXE
• EXE.AVXW.EXE
• EXANTIVIRUS-CNET.EXE
• EVPN.EXE
• ETRUSTCIPE.EXE
• ETHEREAL.EXE
• ESPWATCH.EXE
• ESCANV95.EXE
• ICSUPP95.EXE
• ESCANHNT.EXE
• ESCANH95.EXE
• ESAFE.EXE
• ENT.EXE
• EMSW.EXE
• EFPEADM.EXE
• ECENGINE.EXE
• DVP95_0.EXE
• DVP95.EXE
• DSSAGENT.EXE
• DRWEBUPW.EXE
• DRWEB32.EXE
• DRWATSON.EXE
• DPPS2.EXE
• DPFSETUP.EXE
• DPF.EXE
• DOORS.EXE
• DLLREG.EXE
• DLLCACHE.EXE
• DIVX.EXE
• DEPUTY.EXE
• DEFWATCH.EXE
• DEFSCANGUI.EXE
• DEFALERT.EXE
• DCOMX.EXE
• DATEMANAGER.EXE
• Claw95.EXE
• CWNTDWMO.EXE
• CWNB181.EXE
• CV.EXE
• CTRL.EXE
• CPFNT206.EXE
• CPF9X206.EXE
• CPD.EXE
• CONNECTIONMONITOR.EXE
• CMON016.EXE
• CMGRDIAN.EXE
• CMESYS.EXE
• CMD32.EXE
• CLICK.EXE
• CLEANPC.EXE
• CLEANER3.EXE
• CLEANER.EXE
• CLEAN.EXE
• CFINET32.EXE
• CFINET.EXE
• CFIADMIN.EXE
• CFGWIZ.EXE
• CFD.EXE
• CDP.EXE
• CCPXYSVC.EXE
• CCEVTMGR.EXE
• CCAPP.EXE
• BVT.EXE
• BUNDLE.EXE
• BS120.EXE
• BRASIL.EXE
• BPC.EXE
• BORG2.EXE
• BOOTWARN.EXE
• BOOTCONF.EXE
• BLSS.EXE
• BLACKICE.EXE
• BLACKD.EXE
• BISP.EXE
• BIPCPEVALSETUP.EXE
• BIPCP.EXE
• BIDSERVER.EXE
• BIDEF.EXE
• BELT.EXE
• BEAGLE.EXE
• BD_PROFESSIONAL.EXE
• BARGAINS.EXE
• BACKWEB.EXE
• CLAW95CF.EXE
• CFIAUDIT.EXE
• AVXMONITORNT.EXE
• AVXMONITOR9X.EXE
• AVWUPSRV.EXE
• AVWUPD.EXE
• AVWINNT.EXE
• AVWIN95.EXE
• AVSYNMGR.EXE
• AVSCHED32.EXE
• AVPTC32.EXE
• AVPM.EXE
• AVPDOS32.EXE
• AVPCC.EXE
• AVP32.EXE
• AVP.EXE
• AVNT.EXE
• AVLTMAIN.EXE
• AVKWCTl9.EXE
• AVKSERVICE.EXE
• AVKSERV.EXE
• AVKPOP.EXE
• AVGW.EXE
• AVGUARD.EXE
• AVGSERV9.EXE
• AVGSERV.EXE
• AVGNT.EXE
• AVGCTRL.EXE
• AVGCC32.EXE
• AVE32.EXE
• AVCONSOL.EXE
• AU.EXE
• ATWATCH.EXE
• ATRO55EN.EXE
• ATGUARD.EXE
• ATCON.EXE
• ARR.EXE
• APVXDWIN.EXE
• APLICA32.EXE
• APIMONITOR.EXE
• ANTS.EXE
• ANTIVIRUS.EXE
• ANTI-TROJAN.EXE
• AMON9X.EXE
• ALOGSERV.EXE
• ALEVIR.EXE
• ALERTSVC.EXE
• AGENTW.EXE
• AGENTSVR.EXE
• ADVXDWIN.EXE
• ADAWARE.EXE
• AVXQUAR.EXE
• ACKWIN32.EXE
• AVWUPD32.EXE
• AVPUPD.EXE
• AUTOUPDATE.EXE
• AUTOTRACE.EXE
• AUTODOWN.EXE
• AUPDATE.EXE
• ATUPDATER.EXE

Methods of Infection

• The worm spreads through open shares and tries to guess the login ID and password of password-protected shares
• It also spreads through IRC channels.

The virus appends to the hosts files in order to redirect the below URLs to the IP address 127.0.0.1. This will prevent users from accessing these websites to receive AV updates. 

• localhost
• www.symantec.com
• securityresponse.symantec.com
• symantec.com
• www.sophos.com
• sophos.com
• www.mcafee.com
• mcafee.com
• liveupdate.symantecliveupdate.com
• www.viruslist.com
• viruslist.com
• viruslist.com
• f-secure.com
• www.f-secure.com
• kaspersky.com
• www.avp.com
• www.kaspersky.com
• avp.com
• www.networkassociates.com
• networkassociates.com
• www.ca.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• www.my-etrust.com
• download.mcafee.com
• dispatch.mcafee.com
• secure.nai.com
• nai.com
• www.nai.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• customer.symantec.com
• rads.mcafee.com
• trendmicro.com
• www.trendmicro.com

Infected hosts files are detected (and cleaned) as W32/Polybot.l!hosts with the specified engine/DATs. Upon such a detection, users should follow the details specified in the Removal Instructions to remove the virus.