FRISK Software International


Summary of IRC/Vedetar.A
Alias:BAT.Trojan.Watal.A, Trojan.Irc.Batter, Backdoor. IRC.Watal.d
Infectable objects: Attempts to spread itself through IRC, by sending a message containing an URL to a website hosting the worm.
Discovered: 29 Dec 2004
Definition files: 30 Dec 2004
Risk Level: Low
Distribution:Low
 
Jump to:
Technical description

Technical Description
The IRC/Vedetar.A arrives as a BAT file. When executed the worm tests whether it exists as c:\winsys.bat. If it does not, then it copies itself to that location and appends the string "call c:\winsys.bat" to autoexec.bat on the the "c:\" drive.

The worm then attempts to locate mIRC installed under the following hardcoded location:
c:\mirc\mirc.ini
c:\progra~1\mirc\mirc.ini
d:\mirc\mirc.ini
e:\mirc\mirc.ini
f:\mirc\mirc.ini
If not found under those locations then the bat files exits without performing any further actions.

If mIRC is located under those paths, the worm copies itself to that location under the name of "script.ini". It then appends the following lines to "mirc.ini" which resides by default in the mIRC installation folder:

n0=script.ini
n1=script.ini
n2=script.ini
n3=script.ini
n4=script.ini
n5=script.ini
n6=script.ini
n7=script.ini
n8=script.ini
n9=script.ini

By doing this the worm includes itself in the default mIRC execution environment.

The distribution of this worm, is carried out through IRC script contained within the BAT file. The worm spreads by waiting for users to join the channel the infected user is currently on. It will send a private message to one out of every four persons that might join. This message contains a link to the BAT file residing on a web server, this file has a double extension and spreaded initially under the name "poza1.jpg.bat". This worm can be altered through pre-defined keywords when written on the channel.


Sindri Bjarnason - virus researcher FRISK Software Int.
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is