TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_IRCBOT.R
Overview
Solution

Malware type: Worm

Aliases: Backdoor.Win32.IRCBot.ay (Kaspersky), W32/Sdbot.worm (McAfee), W32.IRCBot (Symantec), Worm/SdBot.36065 (Avira), W32/Sdbot-Fam (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

Upon execution, this worm drops a copy of itself and executes in the Windows system folder as ATECACA.EXE.

It also adds entries in registry for its autostart techniques.

This is a memory-resident worm that also has backdoor capabilities. It uses the Internet Relay Chat (IRC) for its backdoor routine. It also propagates via network shares by dropping a copy of itself in the accessed network shares as TIPELAH.EXE. It uses a list of usernames and passwords to access these.

WORM_IRCBOT.R is capable of doing the following:

  • Download files
  • Execute a file
  • Initiate scan for remote machine to infect
  • Issue a SYN flood attack
  • Uninstall itself
  • Update itself

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 23, 2005 10:32:01 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.