Lothandar wrote:Yeah, not like this exe POPS on my hdd (and is run automatically)
... fairly symptomatic then that you dont regualrly patch your machine(s), run up to date virus patterns and regular scans and not only that but you have public shares on your system with no security as well as the FACT that this threat has been in the wild for more than 15 months, is an overall low risk threat and has been patched by microsoft... am thinking the likes of Kazaa and other P2P programs... which leads me back to my original statement.
Takitothemacs wrote:...also there is a great thing called being careful what programs, downloads you do install/use.
If you choose to install programs that are going to allow unsecured access to your computers then its a price you pay. If you make yourself a soft target then you can expect to be stung.
I am not directly having a go at you... just such a statement is crazy when this topic has been covered time and again... if you or others wont follow advice (good avdice I hasten to add) then what can we do... "it is possible to lead a horse to water..." and all that.
In any case here it the technical information that you require for more information on the virus and its removal:
Type: Worm
Aliases: W32.IRCBot, Win32/HLLW.SpyBot
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, 2000, XP
Encrypted: No
Overall risk rating Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: High
Distribution potential: High
--------------------------------------------------------------------------------
Description:
This malware propagates via network shares. Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder under the following filename:
INTCP32.EXE
NOTE: The Windows system folder is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
The malware may also drop a copy of itself as MOO.DAT in the folder where the malware is first executed.
This worm creates several registry entries to ensure its automatic execution at every system startup. On systems running NT-based Windows (Windows NT, 2000, and XP), it creates a registry entry to ensure that it runs as a service process. On systems running Windows 98/ME, the malware may set a registry entry to prevent the user from using the Windows Registry Editor.
It uses the gathered usernames and passwords to drop a copy of the worm into default shares. Besides these usernames and passwords, it also uses a list of common user names and passwords. For every successful dropped copy of the malware file into a share, the dropped file is remotely executed as a service.
This worm has backdoor capabilities. It connects to a remote IRC server and joins a specific IRC channel where it receives commands from a remote malicious user.
It is capable of gathering CD keys, serial numbers, and even application product IDs.
The malware process cannot be seen on the taskbars of systems running Windows 98/ME.
This worm runs on Windows 98, ME, 2000 and XP.
Description created: 2004-05-20
Description updated: 2004-05-24
REMOVAL
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_IRCBOT.A.
Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
--------------------------------------------------------------------------------
NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Enabling the Registry Editor (For Win 98/ME only)
Open Notepad and copy the following text into a new text file:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Save the file as RESTORE.REG on the desktop.
Double-click RESTORE.REG and click Yes when prompted.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Threaded = "intcp32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Threaded = "intcp32.exe"
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_IRCBOT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other users can use HouseCall, Trend Micro’s free online virus scanner.