WORM_IRCBOT.BGA

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It injects codes into the following process(es):

• Explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Run
{random} = %Application Data%\{random}.exe

Download Routine

This worm connects to the following malicious URLs:

• {BLOCKED}o.dukatlgg.com
• {BLOCKED}a.dukatlgg.com
• {BLOCKED}n.zavoddebila.com
• {BLOCKED}0.vadi-ga-van.info
• {BLOCKED}rozga.fileave.com
• {BLOCKED}na.fileave.com
• {BLOCKED}35.rapidshare.com

It accesses the following websites to download files:

• http://{BLOCKED}rozga.fileave.com/e8034335afb724d8fe043166ba57cd23.exe
• http://{BLOCKED}na.fileave.com/crojebiga3_BTCGuild.exe

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• http://api.{BLOCKED}ia.com