IRCBot
Backdoor.Win32.IRCBot
- Lmfao hey im sending my new photo album, Some bare funny pictures!
- lol my sister wants me to send you this photo album
- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- looooooooooooooooooooooooooooooooooooooo!! :p
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :(made it for yah, been doing picture story of my life lol..
- hey, is this really you?
- hey, looks as your image or ?
Inside is a '.pif' file called photo album2007 or a '.scr' file called photos_2007. It connects you to one of the following IRC Servers:
- darkjester.xplosionirc.net
- cc.xerhosts.net
- free8.bis:8080
- john.free4people.net:80
and posts a message: IMStart. which is an invitation to connect to the victims computer.when connected, the attacker can send the worm to more people and control the victims pc. However, there is a flaw: as MSN Messenger does not allow you to send whole files, instead of spreading, The victim will get a lot of dialogue boxes saying: "you cannot send a folder, please send one file at a time." Thefore you must have Windows Live Messenger to spread it.
NOTE: Upon downloading this virus: this virus then hides itself and begins downloading more viruses. if you contract this virus from MSN; an easy thing to do is turn off your cable box/modem (the one with the lights that say internet/receive/power/etc. and they are flashing) then run a few scans. if you say: go to school; leave the box on all day, when you get home, your computer will be GUARANTEED so slow it will aggravate you.
Recently (In April 2008), one variant has been delivering its virus payload as a file named "IMG00231[1].JPG-www.imageupload.com" from sites photogallery.gigacities.net and album.gigacities.net (See the McAfee Site Advisor post at 
). The MSN Messenger message says "hey, is this your picture ?! h t t p://album.gigacities.net/email.php?=YOURe-mail@hotmail.com" [DO NOT FOLLOW THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING AND WANT TO HARVEST THIS FILE]. This link delivers the MSN virus / worm payload as an MS-DOS .com application (with Size 39,424 bytes and Size on disk: 40,960 bytes). As of 11 APR 2008, Symantec Enpoint Protection does NOT detect this version of the worm.
External links
- FixMyIM's IRCBot Variants entry at FixMyIM
- McAfee Site Advisor
- Post by blogger Alex
This article is licensed under the GNU Free Documentation License.
Last updated on Tuesday September 02, 2008 at 15:21:35 PDT (GMT -0700)
View this article at Wikipedia.org - Edit this article at Wikipedia.org - Donate to the Wikimedia Foundation
|
|
|
|
|
|
|
|
|
|
