W32.IRCbot is spreading...

Discussion in 'Malware Help (A Specialist Will Reply)' started by Lufxx, Dec 19, 2007.

  1. Lufxx

    Lufxx Private E-2

    Heya,

    Our company has the W32.IRCbot virus. It's jumping from computer to computer.

    Starts out by crashing your machine (buffer overflow I'd imagine), when you reboot Symantec alerts you of 'a.bat' being found. Also it alerts W32.IRCbot associated with "Devsvc.exe".

    I've removed the files, quarantined/deleted, removed registry keys, etc.

    Getting rid of it doesn't seem like too big of a problem, it's keeping it from infecting other computers, seems like we're chasing our tail with this.

    If any1 has any ideas, please let me know.

    thanks,
    ~Luf.
     
    Lufxx, Dec 19, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not sure what it is that you wish us to help you with. Do you need help in removing the infection? If so, run the sticky guide: READ & RUN ME FIRST. Malware Removal Guide . You will have to do it on each PC.

    If you know how to remove the existing infection (which Symantec should be able to do since they advertise knowing of the problem) and just want to know how to stop it from infecting the other PCs. The answer is rather simple. All PCs have to be disconnected from the network while you clean them. And once clean, you can slowly add them back to the network.

    However did you read the below warning from Symantec which is for the B version of this infection (I don't know if you have the B version):
    This quote comes from here: http://www.symantec.com/security_response/writeup.jsp?docid=2003-100713-2421-99&tabid=1


    Then there is also the below link if you only have the W32.IRCbot version:

    http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=2
     
    chaslang, Dec 20, 2007
    #2
  3. Lufxx

    Lufxx Private E-2

    Thanks for your response.

    I figured it would come down to disconnecting & cleaning, just wanted to see if there was an easier way. (since this has spread to all of our divisions and we have centralized IT).

    My only concern is....How is it spreading? The documentation that I have read on this specific virus states that it writes via buffer overflow using an exploit in MS security. But that was fixed back in 2005, with the Remote Code Execution patch. So it's kind of strange that it is infecting computers with that patch.

    thanks,
    ~Luf.
     
    Lufxx, Dec 20, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not as far as I know. Read the links I gave to you at Norton. There is no mention of buffer overflow. IRC is mentioned and so are false emails about Norton updates. That is unless you meant to say your problem was with W32/IRCbot.worm!MS05-039

    In addition the file you mentioned in message # 1 may not be associated with this Trojan. Devsvc.exe is normally from this: http://www.liutilities.com/products/wintaskspro/processlibrary/devsvc/
     
    chaslang, Dec 20, 2007
    #4
  5. Lufxx

    Lufxx Private E-2

    I've seen several places that have stated the whole InterVideo = devsvc, but it is somehow linked to this virus being found. It's 100% consistant, that if Symantec finds this virus, it associates it with that file. And if you remove the keys from Run/Run Services in the registry, it will throw it back in there. The devsvc.exe has been found in multiple places, including: C:\, C:\Program Files\Symantec AntiVirus, C:\Windows, C:\Windows\System32. A normal valid process associated with InterVideo wouldn't have this elusive nature.

    Also, I have seen the buffer overflow message before the computer reboots and Symantec recognizes the virus.

    Symantec calls it "W32.IRCbot", is it possible that it is a variant and Symantec doesn't know the name? btw, we are running 10.1.0.394

    thanks,
    ~Luf.
     
    Lufxx, Dec 20, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is any Intervideo software installed on these PCs? The valid DevSvc.exe file would normlly be located here: C:\Program Files\Common Files\InterVideo\ and not in system32.

    Yes but that does not mean you have the problem related to the patches that were installed via Windows Update for MS05-039


    Anything is possible. You should actually ask Symantec why they are not fixing what they are supposedly finding.


    I would like to see the log produced by running the below on one of the infected (uncleaned)PCs

    Using MGtools

    This scan runs relatively fast (no more than a minute unless the PC is a really slow PC).
    After you run the scan, attach the requested C:\MGlogs.zip file.
     
    chaslang, Dec 20, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds