W32/IRCBot.GTW - autorun.inf & run.exe

Discussion in 'ESET NOD32 Antivirus' started by reni, Jun 16, 2009.

Thread Status:
Not open for further replies.
  1. reni

    reni Registered Member

    Joined:
    Feb 22, 2008
    Posts:
    19
    Hello all,

    At the campus here we are dealing with an outbreak of an botnet virus, i tried sending the samples to nod32 (since friday), but unfortuanatly it isn't included in the latest virusdefinitions yet...

    What i found out about the virus/bot:

    -its installed by autorun.inf a specially crafted autorun.inf, not text readable and a run.exe, both are hidden
    -when installed, it copies run.exe to c:\program files\internet explorer\ as svchost.exe and adds the registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost with path c:\program files\internet explorer\svchost.exe
    -when runned it spawns the original iexplore.exe which is doing all irc communication

    Its spreading by the dozen...

    Further investigation shows that when running in the background it continues copies itself as autorun.inf and run.exe in the root of all drives, so for example to: c:\ d:\ e:\ h:\

    Please let it be added asap to the definition list, other antivirusproducts are marking this one already....
     
    Last edited: Jun 16, 2009
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please PM me the subject of the email as well as the email address you sent the email from.
     
  3. reni

    reni Registered Member

    Joined:
    Feb 22, 2008
    Posts:
    19
    Thanks. Since of today its being reconized. (Update 4162 (20090617))

    autorun.inf - Win32/AutoRun.Delf.CJ worm
    Run.exe - Win32/AutoRun.Delf.CJ worm

    This thread can be removed/closed.
     
  4. bradtech

    bradtech Guest

    reni thank you for reporting this threat. As someone who has 2,000 clients running across the state plugging into everywhere it helps improve the product as a whole.. I try to report everything here so Marcos, and others can see issues, and threats possibly missed.. In each instance of an infection or client issues crashes etc I've had better help from Marcos than most phone calls to eset.. All of us know how hard it is to weed out BS from actual problems reported..
     
Thread Status:
Not open for further replies.