FRISK Software International

Summary of W32/Ircbot.TT
Alias:W32/Threat-HLLIM-based!Maximus (F-Prot until 14 Aug) (Kaspersky)
Discovered: 14 Aug 2006
Definition files: Heuristic
Risk Level: Medium
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Ircbot.TT is a backdoor Trojan horse that spreads via AOL instant messenger and by exploiting the MS06-040 vulnerability on Windows 2000 machines. It connects to IRC-servers and waits for remote commands from there. It was proactively detected as "Possibly a new variant of W32/Threat-HLLIM-based!Maximus" by the virus signature files prior to August 14, 2006 therefore F-Prot Antivirus users were never at risk of being infected.

Technical Description
When first run, the virus copies itself to %SYSDIR%\wgavm.exe and creates the file %WINDIR%\dcpromo.log.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32

Disables the Windows Firewall by setting the value:


of the key:


Creates a service with the following characteristics:

"Service Name"="wgavm"
"Display Name"="Windows Genuine Advantage Validation Monitor"
"Description"="Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability."
"Path to executable"=%SYSDIR%\wgavm.exe

to make sure it is run at startup.

It connects to IRC-servers and waits for remote commands from there.

Removal Instructions
For general removal instructions please click here.

Marteinn r Hararson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)