Aliases: Win32/MS06-040!exploit, Backdoor.Win32.IRCBot, W32/Sdbot.worm.gen.g, W32/SDBot, Mal/IRCBot-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: North America, Europe, Asia
Removal: Easy
Platform: W32
Discovered: 20 Jun 2008
Damage: Medium

Characteristics: The autorun worm W32.Ircbrute can spread by copying itself to all available removable drives in the infected computer system. This worm has the ability to open up a backdoor in the compromised machine. This backdoor can be used by the worm’s author to communicate with it and to send instructions pertaining to malicious commands that can be carried out by the worm. The opened backdoor can also be used by other malware to get into the already compromised system.

More details about W32.Ircbrute

When the worm W32.Ircbrute has executed in the infected machine, it will look for an instance of the file eplorer.exe and then inject a code in the process. The malware will use the code to produce either one of the mutexes asd-6+094997_ and dfsfdh546fg3243fgmj to make certain that only a single instance of the malware is running. It will then create a desktop .ini file and two copies of itself in the .exe file extension. Next, it will create 2 registry entries to ensure its execution at every Windows startup and another 4 registry entries to ensure that it also runs when the process explorer.exe is executed. The worm will then copy itself to all available removable drives as 2 files with the EXE file extension. This autorun worm will then create an autorun.inf file that will ensure its execution when a drive it has infected is accessed.

The W32.Ircbrute worm will then go on to try and establish a connection to its remote author through on the 6667 TCP port or me.cashirc.com on the 7000 TCP port. After a successful connection, the worm’s remote author can then carry out actions which include starting a SYN or UDP flood as a DOS or Denial of Service attack and downloading and updating itself. This worm’s infection can be removed by first terminating it running process. You can do this by searching for the process in the list of running processes under Windows Task Manager. When using Windows XP or ME, make sure that the system restore feature is disabled and then search the system for files that may have been planted by the worm. Next, clean the registry by deleting the worm’s modifications.