1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Kromber

Kromber

ALIAS:IRC-Worm.Kromber, W32/Kromber, TrojanDropper.VBS.Inor

Summary

This worm spreads though the IRC network by sending a link to a web page which contains an exploit and runs a script. This script drops and runs a file called browsercheck.exe

Additional Details

This worm's life-cycle is as follows:

A URL is posted in an IRC channel, the URL has the following format: (it has been partially modified on purpose)

http://www.[removed].at/[removed]/show.php?f=drunkchicks.jpg
and the message on the channel:

http://www.[removed].at/[removed]/show.php?f=drunkchicks.jpg LOL
The URL contains a HTML file with code taking advantage of an Internet Explorer vulnerability. When a user clicks or enters the URL in Internet Explorer, a VBS script will be downloaded from:

http://www.[removed].at/[removed]/drunkchicks.php
and executed. This script will open a window outside the user's desktop, aiming at remaining unnoticed. It contains several strings with a comma separated list of octets which, through a very simple decoding, are written into a file on the path:

C:\browsercheck.exe
This executable has a length of 3584 bytes. This executable will use the Dynamic Data Exchange Management Library provided by the Windows user interface API, to communicate with an existing and running IRC client on the computer. (This functionality might be limited to the Internet Relay Chat client mIRC)

If the communication is successful, it will use the IRC client to send a command which will perform the following actions:

-It will post to the channel the URL containing the exploit plus the text " LOL".
-It will attempt to set the topic of the first channel the user joined to the text containing the URL.
-It will attempt to set the topic of the second channel the user joined to the text containing the URL.
-Sets the user's nick as registered.
The VBS script will drop the executable into the users' system. That will be the only modification made to the user's computer. The dropped executable won't make any changes to the system's configuration, nor it will be executed on restart. It will only be run from the VBS script.

Detection

Detection in F-Secure Anti-Virus was published on September 27th, 2003 in update:

[FSAV_Database_Version]
Version=2003-09-27_01

Technical Details: Katrin Tocheva and Ero Carrera September 27th, 2003;