Icrobus is a script-based worm. It consists of a few mIRC scripts
and batch files. The worm is spread in a self-extracting archive
that beside the Ircobus worm drops DoS (Denial of Service)
trojans, a modified mIRC client that works with worm's scripts
and a few utilities including HideWindow (hides application
windows) and PsExec (starts or kills processes on a remote
computer)
When the self-extracting archive is run by a user, it hiddenly
drops a few files to \%winsysdir%\drivers\media\cat32\ folder.
Then a startup key is created for the modified mIRC file so that
it could be loaded during all Windows sessions.
When the modified mIRC client is started, it loads a few scripts
including the Ircobus worm script. The script looks for network
shares with the help of external utilities, builds a list of
vulnerable computers and then spreads to these computers by
copying the dropper file to remote hard disks. The dropper is
then activated with the help of PsExec.exe utility and a remote
computer becomes infected.
Do disinfect a system it's enough to delete all worm's files as
well as a modified mIRC client file and DoS tools.
[Description: F-Secure Anti-Virus Research Team; F-Secue Corp.; June 4th, 2003]
