If you have  a firewall in the network , it can give you some information.

Try to implement the following to prevent W32.ircbot  from spreading in the network

Couple things here:

1. It is possible that it is not an infected "machine" that is spreading this on your drive. From what I understand this can be spread through usb thumb drives too. What is your policy with autorun on your machines? Is it enabled?

2. Let me start by saying I AM NOT JUST PROMOTING SEP ; ) but SEP has better ways than SAV for protecting against threads that can spread through your network. It also has application and device control which can help you guard against people using things like flash drives which can spread viruses. So maybe something to consider in the future.

3. I would go through and check this registry entry on the infected machine. This virus alters this registry key so it "installs" itself again and again each time the computer is restarted. SAV should take care of this but who knows? So check this key:

TheTrojan creates the following registry entry so that it is executed every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winapii" = "%Windir%\Winapii\Winapii.exe"

4. Always when you get a virus try to do remove the infected computer from the network to keep it from spreading. I know that sometimes this isn't possible but it can help. Also do a full scan in safemode with system restore off. This is the first step in virus troubleshooting. Hope this helps.

Grant-

http://www.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-year 

http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=2

I've seen the same thing on my network.  I think this may be a false-positive, as I used the Qextract to pull out the original file and it appears to be fine.  It is still signed by Microsoft, and when submitted to VirusTotal, it doesn't flag anything.  Is there a way to find out if this is legit? 

Submitt the file to Symantec Security Response:
https://submit.symantec.com/websubmit/gold.cgi

This same worm is reinfecting one of our clients. The server is a file server so there is no how I can disable the shares. SEP didnt detect it initially after which rapid release definitions detected it but then the virus keeps on reoccuring and now even after rapid release defs have been applied it doenst detect anymore.

the client uses sphos to delete the .exe that the worm creates but it keeps on reoccuring. Any idea how I can remove the worm once and for all.

regards

Zubair,

I know file servers are always infected......and we cannot disable sharing on this server
then this will be no more a file server.
1.One thing which is very clear the file server is getting infected from the clients accessing the ftp server.
2.IF you are using sep 11 higher then MR3 then you can trace the infection sources and remove from the network.
3.You can check the risk log of this file server on the sepm there you can find the column says source computer and source IP.Remove this machiens from the network and scann in safe.
4.I dont know if you have access to sepm then in the Antivirus Antispyware polices
 -- Under the file System Autoprotect  click on advanced tab........there u will file one option call
Risk tracer.......enable that one.....this will help you

I've just had this come up on a workstation.  I'm very puzzled that SEP 11 calls it w32.IRCBot, yet the file deleted was wuauclt.exe, not Winapii.exe??  And, happily but strangely, wuauclt.exe is still there (needed for Win Updates, yes?).  So, if it's really the IRCBot then why was it the wrong exe, and why is the exe there after deletion??  Probably I'm just not understanding what SEP is telling me.