Virus Alert: W32.IRCBot.H

W32.IRCBot.H is a Trojan program that attempts to open ports on a victim computer by connecting to an IRC server and receiving commands from a remote attacker.

Infectious infection: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Describe

When executed, W32.IRCBot.H will perform the following actions:

1. Duplicate to system directory:
   % System% ssvchost.exe.

2. Add value:
   "window2" = "ssvchost.exe"
   ... into the following registry keys so that worms can automatically run when the system starts up:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRun
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRunServices
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRunOnce
   HKEY_CURRENT_USERSoftwareMicrosoftWindows
   CurrentVersionRunOnce
   HKEY_CURRENT_USERSoftwareMicrosoftWindows
   CurrentVersionRun
   so that it is executed every time Windows starts.

3. Create the following registry value:
   
   HKEY_LOCAL_MACHINESystemCurrentControlSet
   ServicesMedia Player

4. Delete shared folders on local drive:
   & nbsp;

   • IPC $

   • admin $

5. Open the back door by connecting to an irc.xerologic.net IRC server. The Trojan installed on the victim computer will listen for the remote command of the attacker to perform the following tasks:
   & nbsp;

   • Manages the back door installer.

   • Use DCC to transmit the back port.

   • Download and execute binary files.

   • Doing DoS attacks on websites.

   • Send private information.

   • Illegal removal of binary processes.

   • Open websites.

   • Start the proxy service.

   • Duplicate itself to shared folders on another computer.

6. Steal the installation key of the following games:
   & nbsp;

   • Battlefield 1942

   • Battlefield 1942: Secret Weapons Of WWII

   • Battlefield 1942: The Road To Rome

   • Battlefield 1942: Vietnam

   • Black and White

   • Command and Conquer: Generals

   • Command and Conquer: Generals: Zero Hour

   • Command and Conquer: Red Alert2

   • Command and Conquer: Tiberian Sun

   • Counter Strike

   • FIFA 2002

   • FIFA 2003

   • Freedom Force

   • Global Operations

   • Gunman Chronicles

   • Half-Life

   • Hidden and Dangerous 2

   • IGI2: Covert Strike

   • Industry Giant 2

   • James Bond 007: Nightfire

   • Medal of Honor: Allied Assault

   • Medal of Honor: Allied Assault: Breakthrough

   • Medal of Honor: Allied Assault: Spearhead

   • Nascar Racing 2002

   • Nascar Racing 2003

   • NHL 2002

   • NHL 2003

   • Need For Speed: Hot Pursuit 2

   • Need For Speed: Underground

   • Neverwinter Nights

   • Ravenshield

   • Shogun: Total War: Warlord Edition

   • Soldiers Of Anarchy

   • Soldier Of Fortune 2

   • The Gladiators

   • Unreal Tournament 2003

   • Unreal Tournament 2004

   • Soldier of Fortune II - Double Helix

Following are some recommendations and removal instructions for the W32.IRCBot.H virus of Symantec Security:

Recommendations:

• Turn off and remove unnecessary services on the system. By default, a lot of things onions Install unnecessary services, such as FTP servers, telnet, and Web servers. These services have long exposed many of the weaknesses that hackers use to attack computers.

• Keep up to date with the latest patches, especially for computers that contain multiple public services and are accessible through firewalls, such as HTTP, FTP, mail, and DNS.

• Tighten the password policy. Using complex passwords will make it difficult for programs to crack passwords on your computer. Doing this will also reduce the damage when the computer is compromised. & Nbsp;

• Configure e-mail servers to block or remove e-mail attachments that are often exploited by viruses to spread: .vbs, .bat, .exe, .pif, and .scr.

• Isolate the infected computer to prevent the spread of the virus in your organization. Carry out system audit and data backup.

• Notify employees not to open attachments by e-mail unless they are of a safe and verifiable origin. Also, do not execute software downloaded from the Internet unless it has been tested by antivirus software. Browsers are no longer safe and sometimes just a normal web-browsing operation will also cause your computer to become infected.
  & nbsp;

Virus removal guide (Symantec)

1. Disable System Restore (Windows Me / XP).

2. Download the latest update for antivirus software

3. Boot the computer in Safe Mode

4. Run the antivirus software in Full System (full system scan) and virus file repair W32.IRCBot.H

5. Removed Trojan-related values ​​added to regisrty.
   & nbsp;