Hello,
I am working on a Case, where we have detected a New Varient of the Threat W32. IRCBrute.
Summary
=======
The sample is a worm that spreads by copying itself to removable drives and
contacts a remote server for instructions.
Symptoms
========
Presence of the following files:
%DriveLetter%\RECYCLER\[SID]\Desktop.ini
%DriveLetter%\RECYCLER\[SID]\csrxx.exe
%SystemDrive%\RECYCLER\[SID]\Desktop.ini
%SystemDrive%\RECYCLER\[SID]\csrxx.exe
Presence of the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{08B0E5C0-4FCB-11CF-AAX5-00401C608512}\"StubPath" =
"%SystemDrive%\RECYCLER\[SID]\csrxx.exe"
Technical Description
=====================
When executed, the worm injects itself into explorer.exe and copies itself as
the following file:
%SystemDrive%\RECYCLER\[SID]\csrxx.exe (W32.Ircbrute)
It then creates the following file:
%SystemDrive%\RECYCLER\[SID]\Desktop.ini
Next, the worm creates the following registry entry so that it runs every time
Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{08B0E5C0-4FCB-11CF-AAX5-00401C608512}\"StubPath" =
"%SystemDrive%\RECYCLER\[SID]\csrxx.exe"
It then copies itself to all removable drives as the following files:
%DriveLetter%\RECYCLER\[SID]\Desktop.ini
%DriveLetter%\RECYCLER\[SID]\csrxx.exe (W32.Ircbrute)
It then creates the following file so that it runs when the above drives are
accessed:
%DriveLetter%\autorun.inf
Then it contacts an IRC server at
usb.mizitike.info:3498
Disinfection
============
Delete the following files:
%DriveLetter%\RECYCLER\[SID]\Desktop.ini
%DriveLetter%\RECYCLER\[SID]\csrxx.exe
%DriveLetter%\autorun.inf
%SystemDrive%\RECYCLER\[SID]\Desktop.ini
%SystemDrive%\RECYCLER\[SID]\csrxx.exe
Delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{08B0E5C0-4FCB-11CF-AAX5-00401C608512}\"StubPath" =
"%SystemDrive%\RECYCLER\[SID]\csrxx.exe"
To Know More about the Threat (W32.Ircbrute):
W32.Ircbrute
ThreatExpert's Statistics for W32.Ircbrute [Symantec]: