W32.IRCBot.NG
W32.IRCBot.NG is a harmful computer worm that usually spreads through removable USB drives. Instant messaging applications like MSN Messenger can also distribute W32.IRCBot.NG to contact addresses found on victim’s computer. It will send malicious link to gathered addresses and when executed will open a backdoor on infected computer. Antivirus programs may not detect the intrusion process because of a rootkit technique commonly found on highly developed worm such as W32.IRCBot.NG.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
After executing a copy of the worm, it will create a file under this location.
%UserProfile%\Application Data\[RANDOM CHARACTERS].exe
To gain start-up privilege, this worm will add the following Windows registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS]”
= “%UserProfile%\Application Data\[RANDOM CHARACTERS].exe”
To further infect a system, W32.IRCBot.NG will embed malicious code into Windows process like explorer.exe and winlogon.exe. Even though the worm executes several damaging actions, it remains invisible to antivirus programs. The worm uses a highly developed rootkit techniques to hide processes, files and registry entries essential for the operation.
Its final task is to open a backdoor that will serve as doorway for remote attacker to execute mischief actions including the following:
- Scan Internet browser data for any saved user name and password.
- Capture Internet traffic to obtain user name and password for FTP and instant messaging programs.
- Prevent user from download executable files with extensions .exe, .com, .scr, and .pif
Distribution
W32.IRCBot.NG usually infects a system through instant messaging software. While on the infected computer, it will send spam messages to contacts gathered on the PC. Links inserted into these messages points to a location of the Worm that when clicked will automatically download a copy on victim’s computer. Additionally, W32.IRCBot.NG will spread by creating a copy of itself on removable drives. It also adds an autorun.inf file to initiate the worm when the drive is accessed.
How to Remove W32.IRCBot.NG
Restore Windows Components
During an infection, W32.IRCBot.NG drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.Manual Removal Procedure
1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.
2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected files related to W32.IRCBot.NG.
4. Delete or modify any values added by W32.IRCBot.NG to the registry if present. Please see the reference.
- To edit the registry, click on Start > Run and type regedit.exe in the field.
- Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.
5. Exit registry editor when done. You may now restart the computer.