W32/IRCbot.worm!MS05-039 - Labelled High Risk

[Bugzy]

What is it?
A fast-spreading Internet Relay Chat (IRC) bot worm affecting systems worldwide, W32/IRCbot.worm!MS05-039 exploits a recently announced Microsoft operating system vulnerability to spread and possibly help a remote hacker control an infected system.

You can be infected simply by going online. Once infected, your system may continually reboot.

What can I do?

Besides making sure you have the latest VirusScan® virus definition updates installed, McAfee always recommends installing operating system patches from Microsoft. Learn more here.

How do I know if I've been infected?

The virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.

The file can be run automatically by exploiting the MS05-039 vulnerability or by a user directly executing the worm.



straight off McAfeevirus alerts.

[Rejecta]

What is it?
A fast-spreading Internet Relay Chat (IRC) bot worm affecting systems worldwide, W32/IRCbot.worm!MS05-039 exploits a recently announced Microsoft operating system vulnerability to spread and possibly help a remote hacker control an infected system.

You can be infected simply by going online. Once infected, your system may continually reboot.

What can I do?

Besides making sure you have the latest VirusScan® virus definition updates installed, McAfee always recommends installing operating system patches from Microsoft. Learn more here.

How do I know if I've been infected?

The virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.

The file can be run automatically by exploiting the MS05-039 vulnerability or by a user directly executing the worm.



straight off McAfeevirus alerts.

Do you have an offical link? sounds a bit odd you can get it without accepting any exes or dcc's

[Heta]

I think he is selling McAfeevirus program

[OohhoO]

So are you safe if you don't use any IRC proggies?

[Heta]

if its spread via IRC, then yes

[Takitothemacs]

I think he is selling McAfeevirus program

why would he be doing that... McAffee is crap (IMHO) there are much better options out there for protecting your PC... also there is a great thing called being careful what programs, downloads you do install/use.

[Lothandar]

why would he be doing that... McAffee is crap (IMHO) there are much better options out there for protecting your PC... also there is a great thing called being careful what programs, downloads you do install/use.

Yeah, not like this exe POPS on my hdd (and is run automatically)

[Bugzy]

I don't use McAfee but i signed up for the virus alerts.

[Takitothemacs]

Yeah, not like this exe POPS on my hdd (and is run automatically)

... fairly symptomatic then that you dont regualrly patch your machine(s), run up to date virus patterns and regular scans and not only that but you have public shares on your system with no security as well as the FACT that this threat has been in the wild for more than 15 months, is an overall low risk threat and has been patched by microsoft... am thinking the likes of Kazaa and other P2P programs... which leads me back to my original statement.

...also there is a great thing called being careful what programs, downloads you do install/use.

If you choose to install programs that are going to allow unsecured access to your computers then its a price you pay. If you make yourself a soft target then you can expect to be stung.

I am not directly having a go at you... just such a statement is crazy when this topic has been covered time and again... if you or others wont follow advice (good avdice I hasten to add) then what can we do... "it is possible to lead a horse to water..." and all that.

In any case here it the technical information that you require for more information on the virus and its removal:


Type: Worm
Aliases: W32.IRCBot, Win32/HLLW.SpyBot
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, 2000, XP
Encrypted: No
Overall risk rating Low

--------------------------------------------------------------------------------

Reported infections: Low
Damage potential: High
Distribution potential: High


--------------------------------------------------------------------------------

Description:

This malware propagates via network shares. Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder under the following filename:


INTCP32.EXE
NOTE: The Windows system folder is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

The malware may also drop a copy of itself as MOO.DAT in the folder where the malware is first executed.

This worm creates several registry entries to ensure its automatic execution at every system startup. On systems running NT-based Windows (Windows NT, 2000, and XP), it creates a registry entry to ensure that it runs as a service process. On systems running Windows 98/ME, the malware may set a registry entry to prevent the user from using the Windows Registry Editor.

It uses the gathered usernames and passwords to drop a copy of the worm into default shares. Besides these usernames and passwords, it also uses a list of common user names and passwords. For every successful dropped copy of the malware file into a share, the dropped file is remotely executed as a service.

This worm has backdoor capabilities. It connects to a remote IRC server and joins a specific IRC channel where it receives commands from a remote malicious user.

It is capable of gathering CD keys, serial numbers, and even application product IDs.

The malware process cannot be seen on the taskbars of systems running Windows 98/ME.

This worm runs on Windows 98, ME, 2000 and XP.

Description created: 2004-05-20
Description updated: 2004-05-24

REMOVAL

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.


Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_IRCBOT.A.
Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

--------------------------------------------------------------------------------
NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Enabling the Registry Editor (For Win 98/ME only)


Open Notepad and copy the following text into a new text file:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000


Save the file as RESTORE.REG on the desktop.
Double-click RESTORE.REG and click Yes when prompted.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Threaded = "intcp32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Threaded = "intcp32.exe"
Close Registry Editor.

--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_IRCBOT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other users can use HouseCall, Trend Micro’s free online virus scanner.

[Kesxex]

Interesting bit is that the worm now comes through the Plug'n'Play functionality and can install automatically if the vulnerability isn't patched.

Lucky the malware writers left that attack angle out of sight until now really as in the start of it the feature was more known as Plug'n'Pray.