Summary of IRC/Vedetar.A
|Alias:||BAT.Trojan.Watal.A, Trojan.Irc.Batter, Backdoor. IRC.Watal.d|
||Attempts to spread itself through IRC, by sending a message containing an URL to a website hosting the worm.
||29 Dec 2004
||30 Dec 2004
|The IRC/Vedetar.A arrives as a BAT file. When executed the worm tests whether it exists as c:\winsys.bat. If it does not, then it copies itself to that location and appends the string "call c:\winsys.bat" to autoexec.bat on the the "c:\" drive.
The worm then attempts to locate mIRC installed under the following hardcoded location:
If not found under those locations then the bat files exits without performing any further actions.
If mIRC is located under those paths, the worm copies itself to that location under the name of "script.ini". It then appends the following lines to "mirc.ini" which resides by default in the mIRC installation folder:
By doing this the worm includes itself in the default mIRC execution environment.
The distribution of this worm, is carried out through IRC script contained within the BAT file. The worm spreads by waiting for users to join the channel the infected user is currently on. It will send a private message to one out of every four persons that might join. This message contains a link to the BAT file residing on a web server, this file has a double extension and spreaded initially under the name "poza1.jpg.bat". This worm can be altered through pre-defined keywords when written on the channel.
Sindri Bjarnason - virus researcher FRISK Software Int.