A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Backdoor:W32/IRCBot.ET is a variant of a bot that spreads by exploiting the known Plug and Play service (MS05-039) vulnerability. It is a packed PE executable file 51326 bytes long.
The bot was first found on August, 16th 2005.
When run, the worm copies under %SYSTEM% directory using the name 'windrg32.exe'. Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:
The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. Please see the following page for detailed information on the vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
The following ports are used in attack:
The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:
IRCBot.ET also tries to uninstall some other malware and adware by deleting files and folders and removing registry keys. The worm tries to terminates the following processes:
Removes these files:
Deletes these values: