Full
Name: |
WebCam Worm |
Type: |
Worm |
Also Known As: |
Email-Worm.Win32.Botter.a ,W32/Dref-E(Sophos),WORM_DREFIR.D (TrendMicro) |
Danger Level: |
6 |
Category Description: |
Virus-like program that spreads automatically to other computers by sending itself out by email or by any other means. A program that propagates itself by attacking other machines and copying itself to the affected machine.
Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files. |
Comment: |
WebCam Worm is an IRC Backdoor that gives its author control of an infected computer through Internet Relay Chat (IRC).
One of the malicious exe files acts as a Server exchanging commands. It creates a folder 'Programs' ( path C:\WINDOWS\system32\Programs ) , which contains 46 variants of same malicious file , but with different names.
This worm propagates via Internet Relay Chat (IRC). It connects to the following IRC servers:
* eu.undernet.org
* irc.dal.net
* irc.efnet.net
* irc.fr.ircnet.net
* irc.ircnet.ee
* irc.quakenet.org
* irc.rizon.net
* irc.us.ircnet.net
* random.ircd.de
* us.undernet.org
It then joins a chatroom and initiates Direct Client-to-Client (DCC) sessions to send copies of itself with different file names it has in 'Programs' folder to users in the same chatroom as the affected system.
This worm Disables Anti Virus Notifications, Disables Firewall Notifications, Overrides Firewall, Disables Updates Notifications, disabling the automatic startup of other software.
It adds False IP's to more than 50 popular anti virus companies urls in the Host file. |
|
|
Properties: |
|
Manual Removal: |
Large amount of Hijacked domains are placed in the Hosts file. Its probably better to delete the file itself than to fix each item.(and create a Backup)
File location is C:\Windows\System32\drivers\etc\hosts
To Correct Modified Registry Values:
1.Click on Start , click run.
2.Type "regedit" and press enter.
3.Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
4.Right Click on "AntiVirusDisableNotify" ,click on Modify , Type " 0 " in Value Data field in place of "1" and press Enter.
5.Right Click on "FirewallDisableNotify" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter.
6.Right Click on "FirewallOverride" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter.
7.Right Click on "UpdatesDisableNotify" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter. |
Back to the list of products removed by X-Cleaner
|