For Home

Virus Profile: W32/IRCbot!lnk

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/9/2011
Date Added: 9/9/2011
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6823
Removal Instructions
   
 
 
   

Description

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Indication of Infection


Presence of above mentioned files.

Methods of Infection


This worm may be spread by its intented method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
   

Virus Characteristics

W32/IRCbot!lnk” is a link file which is dropped by the file “hYStyP.exe” [Detected as W32/IRCbot.gen.cr]. The link file uses the below argument to execute the source file

%WINDIR%\system32\cmd.exe /c "start %CD%hYStyP\hYStyP.exe && %WINDIR%\explorer.exe %CD%[Folder Name]"

Upon execution the link file tries to launch the source file from the following the location

[RemovableDrive]:\hYStyP \hYStyP.exe [Detected as W32/IRCbot.gen.cr]

The above file is a Worm that allows unauthorized access and control of an infected machine. It connects to a remote IRC server in order to receive instruction from a remote attacker.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).