W32/Ircbot.TU is a worm that spreads by exploiting the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040 http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx). More information about this exploit can be obtained from Microsoft Knowledge base Article http://support.microsoft.com/?kbid=921883. The worm opens an IRC backdoor on a compromised machine that may allow a remote attacker to execute arbitrary code. The file is MEW packed.

It affects most unpatched windows systems that include Windows 95, Windows 98, Windows Me, Windows 2000, Windows NT, Windows Server 2003 and Windows XP. But the exploit only provides remote-code-execution on Windows 2000, Windows XP SP1 and Windows Server 2003 SP0.

When wgareg.exe is executed it performs the following actions:

 

1. Copies itself as %System%\wgareg.exe

2. Creates a service with the following characteristics:

                Display Name: Windows Genuine Advantage Registration Service

Image Path: %System%\wgareg.exe

(NOTE: - By default, the local Windows System directory is C:\Windows\System32 (Windows 95/98/Me/XP) or C:\Winnt\System32 (Windows NT/2000)).

3. Creates the following registry sub-keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG

In order to create the above service

4. Modifies the registry in the following way:

In order to disable DCOM it adds the value: "enabledcom" = "n" to the registry sub-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

To modify access to Network shares it adds the values: "restrictanonymous" = "1" and "restrictanonymoussam" = "1" to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

To lower security settings it adds the values: "autoshareserver" = "0" and "autosharewks" = "0" to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters

To lower security settings it adds the values:

"antivirusdisablenotify" = "1"

"antivirusoverride" = "1"

"firewalldisablenotify" = "1"

"firewalldisableoverride" = "1" to the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

To lower security settings it adds the value: "enablefirewall" = "0" to the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile

To lower security settings it adds the value: "enablefirewall" = "0" to the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile

To modify the Windows Firewall it adds the value: "Start" = "4" to the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

5. The worm injects a program into explorer.exe (in memory).

6. Creates the file: %Windir%\debug\dcpromo.log

(NOTE: - By default, the local Windows directory is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000)).

7. Opens a back door on the compromised machine by connecting to the following IRC domains on TCP port 18067:

http://bniu.hous[REM].com

http://ypgw.walll[REM].com

This may allow a remote attacker to launce a denial of service attack, download and execute remote code or remotely run the command shell. It may also use AOL Instant Messenger (if running on victim machine) to send instant messages using the victim's account. This could allow the attacker to trick users into downloading and executing the worm from an external URL.

Detection
Command Antivirus version 4.93 or higher with definition files dated on the discovery date given above or higher will detect and disinfect this Worm.

Removal Instructions:

The following are generic instructions for the removal of this worm.

1.       Disable System Restore (Windows XP only). See Item 1 below

2.       Ensure the virus definitions are up to date.

3.       Restart the computer in Safe mode.

4.       Run a full system scan and delete all the files detected as a W32/Ircbot.TU

5.       Reverse the changes made to the registry. See item 2 below.

For further information, read the following instructions.

1. To disable System Restore (Windows XP)

If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

2. To reverse the changes made to the registry.

We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.

Modify the specified keys only.

a.       Click Start > Run

b.       Type regedit and click OK.

c.        Navigate to the keys mentioned in the description above.

d.       In the right pane, delete the value associated with this worm.

e.       Exit the Registry Editor.