[botnets] IRCworm

[znx]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
IRCworm, this has been doing the rounds for some time not sure if this
is related to a botnet?

hiddenxxxphotos.exe : [SANDBOX] contains a security risk -
W32/Backdoor (Signature: W32/[EMAIL PROTECTED])
 [ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [EMAIL PROTECTED]
- REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * File length:       125563 bytes.
   * MD5 hash: 36477f43592c6e2510eb2746f3a483b4.

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe.

 [ Changes to registry ]
   * Creates value "DrefIW"="C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe" in
key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
   * Creates value "DrefIW"="C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe" in
key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
   * Sets value "Start"="" in key
"HKLM\System\CurrentControlSet\Services\SharedAccess".

 [ Network services ]
   * Looks for an Internet connection.
   * Connects to "irc.efnet.net" on port 6667 (TCP).
   * Connects to IRC server.
   * Connects to "irc.dal.net" on port 6667 (TCP).

 [ Process/window information ]
   * Will automatically restart after boot (I'll be back...).
   * Creates a mutex [IrcWorm] v1.3 (c) 2005 written by DR-EF.

 [ Signature Scanning ]
   * C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe (125563 bytes) : W32/[EMAIL PROTECTED]


(C) 2004-2006 Norman ASA. All Rights Reserved.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets