Threat Alert Service (KTP)

W32.IRC.Bot.B

Virus Name:	W32.IRCBot.B
Variants/Aliases:	Win32.SdBot.18976 Troj/Ircbot-M Backdoor.IRCBot.gen W32/Sdbot.worm.gen
Type:	Trojan
Length:	19 Kb
Date of Discovery:	October 8, 2003
Date of Last Update:	October 8, 2003
Threat Assessment:	Low
Systems Affected:	Windows 2000 Windows 95 Windows 98 Windows Me Windows NT
General Description:	W32.IRCBot.B is a Backdoor Trojan Horse that connects to an IRC server and waits for commands from the hacker. This Trojan is a variant of W32.IRCBot and W32.IRCBot.Gen. Note: It has been reported that W32.IRCBot.B may arrive in an email message about a fake program update for Norton AntiVirus. The sender, updates@symantec.com, is a spoofed email address. Symantec never sends unsolicited email; the attachment should be deleted. The Trojan may arrive in an email with the following characteristics: From: updates@symantec.com (spoofed email address) Subject: Last Update. Attachment: nav32.zip Attachment Type: Zip file Attachment Size: 15.5 Kbytes NOTE: When the nav32.zip file is decompressed, it becomes an executable file named nav32.exe, which is 19Kb in length. The Trojan is packed with UPX.

Vendor Specific Information

McAfee

Minimum DAT:

4245

Minimum Engine:

4245

Removal Instructions:

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Symantec

Virus Definitions via Intelligent Updater:

October 7 , 2003

Virus Definitions via Live Update:

October 8 , 2003

Removal Instructions:

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as W32.IRCBot.B.
4. Delete the value that was added to the registry.

Technical Details

Step 1:	Inserts a copy of itself as %SYSTEM%\RPCX1sQ3.exe. Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Step 2:	Adds the value: "windowsupdate" = "RPCX1sQ3.exe" to the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
Step 3:	Attempts to connect to the IRC server, itc.ourmoney.pp.ruz, using TCP port 31337.
Step 4:	Attempts to join a predefined channel, using a random nickname, and waits for commands from the IRC server.
Step 5:	Commands include, but are not limited to: - Managing the installation of the Trojan - Controlling the IRC client on a compromised computer - Updating the installed Trojan - Sending the Trojan to other IRC channels - Downloading and executing files - Performing Denial of Service (DoS) attacks against a target, which the hacker defines - Uninstalling itself completely by removing the relevant registry entries - Terminating processes - Visiting Web sites