W32.Ircbrute.E

Type:

Worm

Infection Length:

Varies

Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Ircbrute.E is a worm that attempts to spread through removable drives and open a back door on the compromised computer. 

When executed, the worm copies itself as the following file:
%SystemDrive%\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe

It then creates the following file:
%SystemDrive%\RECYCLER\k-1-3542-4232123213-7676767-8888886\Desktop.ini

Next, the worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}\"StubPath" = "%SystemDrive%\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe"

Next, it creates the following mutex so that only one instance of the threat executes on the computer:
root_v_1

It then attempts to open a back door by connecting to the following remote location on TCP port 6667:
skuf.doesntexist.com

The worm attempts to spread by creating the following files on all removable drives:

• %DriveLetter%\recycler\k-1-3542-4232123213-7676767-8888886\desktop.ini
• %DriveLetter%\recycler\k-1-3542-4232123213-7676767-8888886\hn.exe

It then creates the following file so that it runs when the above drives are accessed:
%DriveLetter%\autorun.inf