BDS/IRC-M33

Re(2): BDS/IRC-M33

Funki — Wed, 22 Oct 2003 10:19:30 GMT

Body:
October 06, 2003
Intruder Alert 4.1 W32_Webb_Worm Policy
This policy detects the propagation of the W32.SobigF.Worm through
changes in the registry.

W32.Webb.F@mm is a mass-mailing, network-aware worm that sends
itself to all the email addresses it finds in various files.
The worm uses its own SMTP engine to propagate and attempts
to create a copy of itself on accessible network shares, but
fails due to bugs in the code.

In attachment you can find program that update your Norton Antivirus to
Norton Antivirus 2004. ----

Attachment: nav32.zip

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"windowsupdate"="RPCX1sq23.exe"

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"windowsupdate"="RPCX1sq23.exe"

Re: BDS/IRC-M33

Funki — Wed, 22 Oct 2003 10:18:49 GMT

Details:
--------
Name: BDS/IRCBot.Gen
Alias: Troj/Ircbot-M, W32.IRCBot.B, W32/Sdbot.worm.gen, Win32.SdBot.18976, Backdoor.IRCBot.gen
Type: Backdoor
Discovered: October 7, 2003
Size: 18.976KB
Platform: Windows 95/98/ME/NT/2000/XP

Description:
------------
BDS/IRCBot.Gen has been seen to be originally sent out by email but has no ability to spread itself by its own routines. After the user extracts the attached zip file and executes the UPX packed .exe file, this Backdoor connects to an IRC server on port 31337. The infected computer can then be controlled from the IRC channel. It copies itself in the as "RPCX1sq23.exe" under \windows\%sysdir%\.

The sent out email will have the following characteristics:

From: updates@symantec.com
Subject: Last Update.

BDS/IRC-M33

bimpf — Wed, 22 Oct 2003 08:59:24 GMT

Hi!

Heute hat ein Anit-Virenprogramm den obigen Virus aufm Computer gefunden. Weiß jemand genaueres darüber? Wie verbreitet sich der?
Er war in der Datei msmngr32.exe. Und das AV-Programm hat irgendwas von Backdoor gesagt.

bimpf