|
Summary of IRC/Vedetar.A |
| Alias: | BAT.Trojan.Watal.A, Trojan.Irc.Batter, Backdoor. IRC.Watal.d |
| Infectable objects: |
Attempts to spread itself through IRC, by sending a message containing an URL to a website hosting the worm. |
| Discovered: |
29 Dec 2004 |
| Definition files: |
30 Dec 2004 |
| Risk Level: |
Low |
| Distribution: | Low |
|
|
|
| Technical Description |
The IRC/Vedetar.A arrives as a BAT file. When executed the worm tests whether it exists as c:\winsys.bat. If it does not, then it copies itself to that location and appends the string "call c:\winsys.bat" to autoexec.bat on the the "c:\" drive.
The worm then attempts to locate mIRC installed under the following hardcoded location:
c:\mirc\mirc.ini
c:\progra~1\mirc\mirc.ini
d:\mirc\mirc.ini
e:\mirc\mirc.ini
f:\mirc\mirc.ini
If not found under those locations then the bat files exits without performing any further actions.
If mIRC is located under those paths, the worm copies itself to that location under the name of "script.ini". It then appends the following lines to "mirc.ini" which resides by default in the mIRC installation folder:
n0=script.ini
n1=script.ini
n2=script.ini
n3=script.ini
n4=script.ini
n5=script.ini
n6=script.ini
n7=script.ini
n8=script.ini
n9=script.ini
By doing this the worm includes itself in the default mIRC execution environment.
The distribution of this worm, is carried out through IRC script contained within the BAT file. The worm spreads by waiting for users to join the channel the infected user is currently on. It will send a private message to one out of every four persons that might join. This message contains a link to the BAT file residing on a web server, this file has a double extension and spreaded initially under the name "poza1.jpg.bat". This worm can be altered through pre-defined keywords when written on the channel. |
Sindri Bjarnason - virus researcher FRISK Software Int. |
|
