WORM_IRCBOT.WKJ

This worm may arrive bundled with malware packages as a malware component.

Arrival Details

This worm may arrive bundled with malware packages as a malware component.

Installation

This worm adds the following mutexes to ensure that only one of its copies runs at any one time:

• 0ze2thz285hezj1hG42

Backdoor Routine

This worm connects to any of the following IRC server(s):

• {BLOCKED}n.{BLOCKED}eople.net

It joins any of the following IRC channel(s):

• #.porno

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• Initiate MSN propagation
• Steal Passwords
• Renew IRC server connection
• Download and Execute Arbitrary files

Other Details

This worm requires the existence of the following files to properly run:

• %System%\printers.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It uses the following credentials when accessing its IRC server:

• NICK new[{Country}][{random numbers}H]{random letters} - for newly infected systems
• NICK [][{random number}H]{random letters} - for already infected systems
• USER lol lol lol :kikio

NOTES:
This worm copies its main component, %System%\printers.exe to the Windows folder and uses the following file names for its propagation through MSN Messenger:

• images0{random numbers}.zip
• photos0{random numbers}.zip
• album{random numbers}.zip
• photo{random numbers}.zip
• pictures0{random numbers}.zip
• picture{random numbers}.zip

The zip files contains the following file names:

• {used file name}.scr

It uses the following strings as messages used in its propagation though MSN Messenger:

• Look how wasted Paris Hilton is, after she got jailed :(
• You and Me !!! .... look :p
• Look at my photos hihi :p
• Hey please accept my photos :o !!
• A photo with me and my best friend :$ !!
• This is me totaly naked :o please dont send to anyone else
• Look what i found on the NET :o Jessica Alba NUDE !!
• bak sana Paris Hilton ne hale gelmis hapiste :(
• Sen ve Ben !!! .... BAK :p
• Baksana benim fotograflara hihi :p
• Hey benim fotolarimi kabul et :o !!
• Iyi arkadasimla fotorafdayim :$ !!
• benim bu ciplak fotoda :o ama baskasina yollama
• bak ne buldum :o Jessica alba ciplak !!
• Regarde comment Paris Hilton parait efondrs qu'elle ai jeter en prison :(
• Toi et moi !!! .... regarde :p
• Regarde mes photos :p
• Hey s'il te plait accepte mes photos :o !!
• Une photo de moi et mon meilleur ami :$ !!
• C'est moi totalement nu :o s'il te plait ne l'envoie a personne d'autre
• Regarde ce que j'ai trouvsur le net :o Jessica Alba NU !!
• Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
• Jij en Ik !!!! .... kijk :p
• Kijk eens naar mijn fotos hihi :p
• HEY !! accepteer mn fotos dan !
• met mijn beste vriend op de foto !! :$
• Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
• Kijk wat ik gevonden heb :o Jessica Alba naakt !!
• guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
• du und ich !!! ....guck :p
• siehe meine fotos hihi :p
• hey bitte nimm meine fotos an :o !!
• ein foto mit meinem besten freund und mir :$ !!
• das bin ich total nackt :o bitte sende es niemand anderem
• guck was ich im internet gefunden habe :o jessica Alba NACKT !!
• Guarda come Paris Hilton sprecato , dopo che era imprijonata :(
• Tu ed io !!! .... guarda :p
• Guardi le mie foto hihi :p
• Mairee photos accept karo :o !!
• Una foto con me ed il mio amico migliore :$ !!
• Questa e me totaly nudo :o prego non trasmette a chiunque
• Osservi che cosa ho trovato sul internet :o Jessica alba NUDA !!
• Veja como Paris Hilton estacabada depois de ter sido presa :(
• e eu !!!! .... Veja :p
• Veja as minhas fotos hehehe :p
• Por favor aceite as minhas fotos :o !!
• Uma foto com o meu melhor amigo e eu :$ !!
• Esta sou eu totalmente nua :o por favor no mande isso pra ningu
• Olha o que eu achei na NET :o Jessica Alba NUA !!
• kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
• NI HE WO !!! .... QING KAN :p
• KAN WO DE ZHAOPIAN :p
• JIESHOU WO DE ZHAO PIAN :o !!
• YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
• KAN WO DE ZHAOPIAN :p
• ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!
• Kolla hur frd Paris Hilton r, efter att hon fngslades :(
• Du och jag !! .... Kolla ;)
• Kolla pmin bilder, hihi :p
• Hey, acceptera mina bilder, snlla :o
• En bild pmig och min bsta vn :$ !!!
• Detta r jag HELT naken.. :o Skicka inte till ngon annan, snlla...
• Kolla vad jag hittade ptet :o Jessica Alba NAKEN !!
• Mira cmo Paris Hilton es perdida despus de ser encarcelada :(
• Usted e yo !!! .... Mira :p
• Mira mis fotos jejeje :p
• Ha aceptado mis fotos por favor :o !!
• Una foto con mi mejor amigo e yo :$ !!
• Esta soy yo totalmente desnuda :o por favor no enva para nadie
• Mira lo que encontren la WEB :o Jessica Alba DESNUDA !!
• Lede hvor spild Paris Hilton er efter hun fik fngsel :(
• Jer og Mig !!! ... se :p
• min fotos :p
• Hej behage optage min foto :o !!
• EN foto hos mig og min bedst ven :$ !!
• denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
• Lede hvad jeg fandt oven pden net :o Jessica Alba bar !!

It uses different languages depending on the location of the affected system.