W32/Ircbot.TT and W32/Ircbot.TU exploiting the MS06-40 vulnerability
New variants of the W32/Ircbot family of viruses (W32/Ircbot.TT and W32/Ircbot.TU) were detected earlier today. These new viruses are backdoor Trojan horses that connect to a remote IRC server and wait for commands from a remote attacker.
They were proactively detected as
and F-Prot Antivirus users were therefore never at risk of being infected.Possibly a new variant of W32/Threat-HLLIM-based!Maximus
These new viruses exploit a remote code execution vulnerability in the Microsoft Windows Server service (MS06-40) that could allow an attacker to take complete control of the affected system. This vulnerability was reported in the Microsoft Security Bulletins for August 2006.
These viruses are set to modify several security settings on the affected computer, connect to a remote IRC server and start listening for commands from a remote hacker. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
For more detailed technical information and removal instruction of these viruses, see
Recommended Reactions
Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
Threat Detection
The latest versions of F-Prot Antivirus detect these threats as W32/Ircbot.TT and W32/Irbot.TU using virus signature files dated 14 August 2006 or later.
They are proactively detected using virus signature files before that date as "Possibly a new variant of W32/Threat-HLLIM-based!Maximus".