Kromber

This worm's life-cycle is as follows:

A URL is posted in an IRC channel, the URL has the following format (it has been partially modified on purpose).

https://www.[removed].at/[removed]/show.php?f=drunkchicks.jpg

and the message on the channel:

https://www.[removed].at/[removed]/show.php?f=drunkchicks.jpg LOL

The URL contains a HTML file with code taking advantage of an Internet Explorer vulnerability. When a user clicks or enters the URL in Internet Explorer, a VBS script will be downloaded from:

https://www.[removed].at/[removed]/drunkchicks.php

and executed. This script will open a window outside the user's desktop, aiming at remaining unnoticed. It contains several strings with a comma separated list of octets which, through a very simple decoding, are written into a file on the path:

C:\browsercheck.exe

This executable has a length of 3584 bytes. This executable will use the Dynamic Data Exchange Management Library provided by the Windows user interface API, to communicate with an existing and running IRC client on the computer. (This functionality might be limited to the Internet Relay Chat client mIRC).

If the communication is successful, it will use the IRC client to send a command which will perform the following actions:

• It will post to the channel the URL containing the exploit plus the text " LOL".
• It will attempt to set the topic of the first channel the user joined to the text containing the URL.
• It will attempt to set the topic of the second channel the user joined to the text containing the URL.
• Sets the user's nick as registered.

The VBS script will drop the executable into the users' system. That will be the only modification made to the user's computer. The dropped executable won't make any changes to the system's configuration, nor it will be executed on restart. It will only be run from the VBS script.