IRC-Worm.DOS.Claw.2513
| Alert Level : | Medium |
| Discovered: | Feb 13 2002 |
| Tag: | Internet Relay Chat Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files when they are accessed. Then it looks for COM and EXE files in the current directory and infects them. The virus also creates a hidden file in the root directory on the C: drive, writes its copy to there and adds to the AUTOEXEC.BAT an instruction to execute this file. The virus then infects WIN.COM and COMMAND.COM in the Windows directory.
To infect mIRC and spread via IRC channels, the virus creates two files in the C:\MIRC directory: the MIRC_SYS.INI virus script file and DOS COM virus dropper CYBER.COM. Then it patches the MIRC.INI file with an instruction to load infected MIRC_SYS.INI file on IRC client start-up. The virus script switches off mIRC security (warning messages) and sends the virus dropper into the IRC channel at the moment a user disconnects from the channel.
On September 1st, depending on a random value, the virus erases the FLASH BIOS. To do this, the virus calls extended BIOS functions.
When the virus dropper starts, it displays the texts:
Clawfinger
The virus also contain encrypted strings:
Do you know how it feels to be down in the dirt with a bullet in yer breast and blood on yer shirt Lying in a bloodpool down in a pit covered with the corpse and the blood and the shit How does it feel to have a gun at yer head when ya know that you'd be much better off dead Freedom has a price and that price is blood so chase the motherfucker right down in da mud [ WARFAIR - CLAWFINGER ]
0
Removal IRC-Worm.DOS.Claw.2513 instructions:
0
Need help? Live computer support via remote at SupportSpace |
