Win32/IRCBot. worm virus variants and Prevention

Source: TechTarget

Recently, some users have reported that the system is infected with Win32/IRCBot. worm.64512.P and does not know how to handle it. Our editors have collected relevant information and hope to help you.

Win32/IRCBot. worm.64512.P is still one of the variants of Win32/IRCBot. worm worms. The worm tried to exploit the Windows vulnerability and the SA user password set in the SQL database to spread. Run the program to generate wipv6.exe (64,512 bytes) and msdirectx. sys (6,656 bytes) files in the Windows System directory. Open any TCP port and try to connect from a specific IRC server and execute malicious control as a manager (Operator.

The symptoms after poisoning can be as follows:

The following symptoms are displayed after running:

Generate the following file in the Window system directory:

C: Windows System directory wipv6.exe (64,512 bytes)
C: Windows System directory msdirectx. sys (6,656 bytes)

Note: The types of windows system folders vary by version. In Windows 95/98/Me, C: WindowsSystem, windows NT/2000, C: WinNTSystem32, and windows XP are the C: WindowsSystem32 folder.

Modify the registry and run automatically when the system starts:

HKEY_CURRENT_USERSoftwareMicrosoftOLE
Windows IPv6 Drivers = wipv6.exe

HKEY_CURRENT_USERSoftwareMicorsoftWindowsCurrentVersionRun
Windows IPv6 Drivers = wipv6.exe

HKEY_CURRENT_USERSoftwareMicorsoftWindowsCurrentVersionRunServices
Windows IPv6 Drivers = wipv6.exe

HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
Windows IPv6 Drivers = wipv6.exe

HKEY_LOACL_MACHINESOFTWAREMicrosoftOle
Windows IPv6 Drivers = wipv6.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Windows IPv6 Drivers = wipv6.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Windows IPv6 Drivers = wipv6.exe

HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa
Windows IPv6 Drivers = wipv6.exe

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Windows IPv6 Drivers = wipv6.exe

The S-id value of the HKEY_USERS user account SoftwareMicrosoftOLE
Windows IPv6 Drivers = wipv6.exe

HKEY_USERS user account's S-id value SoftwareMicrosoftWindowsCurrentVersionRun
Windows IPv6 Drivers = wipv6.exe

HKEY_USERS user account's S-id value SoftwareMicrosoftWindowsCurrentVersionRunServices
Windows IPv6 Drivers = wipv6.exe

HKEY_USERS user account's S-id value SYSTEMCurrentControlSetControlLsa
Windows IPv6 Drivers = wipv6.exe

HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsdirectx
ImagePath = ?? C: Windows System directory msdirectx. sys

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmsdirectx
ImagePath = ?? C: Windows System directory msdirectx. sys

Generally, the following malignant functions can be run:

Run files and delete (run other worms and viruses)
Download and mount (steal confidential files)
Forcibly end a specific process
Confirm system information (leakage of user information)
Search Networks
Forcibly remove Shared Folders
Forcibly terminate the system's DCOM Service
Run the xp_cmdshell process in the MS-SQL Database
Solution: Dr. An's related content (_ view. asp? Id = 505 "> click the link)

Related downloads:

_366.html "> Win32/IRCBot. worm kill tool

_125.html "> Dr. An's latest virus database Win32/IRCBot. worm 2004.11.15

In addition, the following are some variants of Win32/IRCBot. worm that have appeared. If you have the following symptoms, you can go to the relevant URL to find a solution.

Win32/IRCBot. worm.108032. I

Win32/IRCBot. worm.159744

Win32/IRCBot. worm.103832

Win32/IRCBot. worm.20.544.l