W32/IRCBot.GTW - autorun.inf & run.exe

Hello all,

At the campus here we are dealing with an outbreak of an botnet virus, i tried sending the samples to nod32 (since friday), but unfortuanatly it isn't included in the latest virusdefinitions yet...

What i found out about the virus/bot:

-its installed by autorun.inf a specially crafted autorun.inf, not text readable and a run.exe, both are hidden
-when installed, it copies run.exe to c:\program files\internet explorer\ as svchost.exe and adds the registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost with path c:\program files\internet explorer\svchost.exe
-when runned it spawns the original iexplore.exe which is doing all irc communication

Its spreading by the dozen...

Further investigation shows that when running in the background it continues copies itself as autorun.inf and run.exe in the root of all drives, so for example to: c:\ d:\ e:\ h:\

Please let it be added asap to the definition list, other antivirusproducts are marking this one already....

 

Please PM me the subject of the email as well as the email address you sent the email from.

 

Thanks. Since of today its being reconized. (Update 4162 (20090617))

autorun.inf - Win32/AutoRun.Delf.CJ worm
Run.exe - Win32/AutoRun.Delf.CJ worm

This thread can be removed/closed.

 

reni thank you for reporting this threat. As someone who has 2,000 clients running across the state plugging into everywhere it helps improve the product as a whole.. I try to report everything here so Marcos, and others can see issues, and threats possibly missed.. In each instance of an infection or client issues crashes etc I've had better help from Marcos than most phone calls to eset.. All of us know how hard it is to weed out BS from actual problems reported..