Backdoor.IRCBot.ST
| Alert Level : | high |
| Discovered: | 2006Aug15 |
| Tag: | computer virus |
| Discoverer and Source: | http://www.bitdefender.com/ |
Malware Behavior and Technical Description
1. Presence of wgareg.exe file in %SYSTEMDIR%
2. Presence of the following registry key:
HKLM\\System\\CurrentControlSet\\Services\\wgareg
3. Presence of a service with the following properties:
Name: wgareg
Display Name: Windows Genuine Advantage Registration Service
Description: "Ensures that your copy of Microsoft Windows is genuine and registered.
Stopping or disabling this service will result in system instability"
This service will be restarted by Windows if it is killed.
4. Windows Security Center Firewall and anti-virus monitors are disabled.
5. Active TCP connection to bniu.househot.com or ypgw.wallloan.com on port 18067
6. A harmless file named dcpromo.log exists in %WINDIR%\\Debug\\ size 0 bytes.
7. A mutex is created with name "wgareg".
8. AIM (AOL Instant Messanger) may be forced to close.
9. Possible increase of internet traffic.
The file is packed and encrypted to hide it
Removal Backdoor.IRCBot.ST instructions:
Stop the service, and then remove
HKLM\\System\\CurrentControlSet\\Services\\wgareg
from registry, kill the process, then erase %SYSTEMROOT%\\wgareg.exe
Need help? Live computer support via remote at SupportSpace |
