Classification

Category :

Malware

Type :

-

Aliases :

Ircobus, Worm.Win32.Ircobus

Summary

Icrobus is a script-based worm. It consists of a few mIRC scripts and batch files. The worm is spread in a self-extracting archive that beside the Ircobus worm drops DoS (Denial of Service) trojans, a modified mIRC client that works with worm's scripts and a few utilities including HideWindow (hides application windows) and PsExec (starts or kills processes on a remote computer)

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When the self-extracting archive is run by a user, it hiddenly drops a few files to \%winsysdir%\drivers\media\cat32\ folder. Then a startup key is created for the modified mIRC file so that it could be loaded during all Windows sessions.

When the modified mIRC client is started, it loads a few scripts including the Ircobus worm script. The script looks for network shares with the help of external utilities, builds a list of vulnerable computers and then spreads to these computers by copying the dropper file to remote hard disks. The dropper is then activated with the help of PsExec.exe utility and a remote computer becomes infected.

Do disinfect a system it's enough to delete all worm's files as well as a modified mIRC client file and DoS tools.