W32/IRCbot.gen.b makes svchost.exe crash on remote (uninfected)computers

Discussion in 'Virus Information' started by Amedee Van Gasse, Nov 3, 2009.

  1. Our company is being hammered by a virus called "W32/
    IRCbot.gen.b" (according to McAfee ePolicy Orchestrator). About 65 pcs
    on our site were infected (mostly computers without antivirus), and
    they attacked the > 4000 other computers on our site.
    The virus activity is easy to detect because the virus scans series of
    ip addresses on port 445.
    We were able to identify and isolate the infected boxes, and 90% is
    cleaned, reinstalled or removed from the network. It took a team of 5
    people more than a week.

    There is a secondary problem: computers that are not infected, are
    attacked. Not only by our own infected machines, but also over the WAN
    from other sites of the company (>32000 computers managed by McAfee
    ePO in our part of the organisation, and an unknown number that are
    unmanaged/unprotected). That's probably how we got the virus in the
    first place. And we can't shut down the WAN.

    Some (but not all) attacked computers give errors about a crash of the
    svchost.exe process. Almost all our computers are WinXPsp2. Not all of
    them are up-to-date with all security updates because they didn't get
    approved because of business reasons.

    How can I find out the exact KB number that has to be installed to
    solve the crashes of svchost.exe?

    Halp!
     
    Amedee Van Gasse, Nov 3, 2009
    #1
    1. Advertisements

  2. From: "Amedee Van Gasse" <>

    | Our company is being hammered by a virus called "W32/
    | IRCbot.gen.b" (according to McAfee ePolicy Orchestrator). About 65 pcs
    | on our site were infected (mostly computers without antivirus), and
    | they attacked the > 4000 other computers on our site.
    | The virus activity is easy to detect because the virus scans series of
    | ip addresses on port 445.
    | We were able to identify and isolate the infected boxes, and 90% is
    | cleaned, reinstalled or removed from the network. It took a team of 5
    | people more than a week.

    | There is a secondary problem: computers that are not infected, are
    | attacked. Not only by our own infected machines, but also over the WAN
    | from other sites of the company (>32000 computers managed by McAfee
    | ePO in our part of the organisation, and an unknown number that are
    | unmanaged/unprotected). That's probably how we got the virus in the
    | first place. And we can't shut down the WAN.

    | Some (but not all) attacked computers give errors about a crash of the
    | svchost.exe process. Almost all our computers are WinXPsp2. Not all of
    | them are up-to-date with all security updates because they didn't get
    | approved because of business reasons.

    | How can I find out the exact KB number that has to be installed to
    | solve the crashes of svchost.exe?

    | Halp!

    | --
    | Amedee Van Gasse

    Have you put a Packet Sniffer on the network and examined the TCP port 445 traffic ?
    If you do you may find that you can filter the traffic and thus block the BOT at the WAN
    interface.



    Please submit a sample to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition Virus
    Total will provide the sample to all participating vendors.

    You can also submit a suspect, one at a time, via the following email URL...
    mailto:?subject=SCAN


    As well as upload a sample to; http://www.uploadmalware.com/

    When you get the report, please post back the exact results.
     
    David H. Lipman, Nov 3, 2009
    #2
    1. Advertisements

  3. Agreed, but that's not my job, that is something for the network group
    and afaik they are already implementing this.
    I've seen them working with Wireshark.
    But again, not my responsibility. I only have to fix the svchost.exe
    crashes.
     
    Amedee Van Gasse, Nov 3, 2009
    #3
  4. Amedee Van Gasse

    Virus Guy Guest

    That is a two-year-old backdoor trojan.

    Most likely your machines are infected with many other types of malware
    as a result.
    You will have to coordinate with other administrators at your other
    divisions / locations.

    Why don't you perform a full Windows Update on your systems?

    I can understand two possible reasons why you did not:

    1) you want to keep your XP machines at SP2, not SP3

    2) you know that some of your machines will fail the WGA check.

    If the issue is (1), you shouldn't worry. You can update SP2 machines
    fully and keep them SP2.

    If the issue is (2), then it is possible to download all updates and NOT
    the WGA check, but it is time consuming.

    Why wasn't the XP firewall enabled on your machines?

    It looks like you're trying to download the fix only for the port 445
    vulnerability.

    Have a look here:

    http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx

    and here:

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    The only real solution is to rebuild your systems. Many of them are
    probably infected with other malware that is not being detected.

    Such are the joys of the NT-family of Windows operating systems. If you
    were using Windows 98 on your desktop systems, this wouldn't have
    happened. NT on the desktop is the biggest farce to ever happen to the
    computing world. It's the emperor with no clothes.

    And by the way, you should post your question from home or a wifi
    hotspot if you don't want your company to be identified.
     
    Virus Guy, Nov 3, 2009
    #4
  5. Not likely. McAfee & MS malicious software removal tool didn't find
    anything else.
    Also the "normal" background activity is about 100 alerts per day for
    the entire organisation (>32000 machines). Most of the times it's
    users that try to copy cracks or keygens, and they get deleted.
    (3) Business reasons.
    IT is not allowed to manage some computers. I really, *really* don't
    want to take the blame when several tons of molten steel end up in the
    wrong place because of a sudden Windows update.
    Same reason as above: IT doesn't manage some computers.
    Thank you!
    Over 4000 systems at our site alone? Joy...
    I'm a Linux man myself...
    193.121.x.x? Meh... I'm just an external consultant. Expendable.
     
    Amedee Van Gasse, Nov 3, 2009
    #5
  6. From: "Amedee Van Gasse" <>


    | Agreed, but that's not my job, that is something for the network group
    | and afaik they are already implementing this.
    | I've seen them working with Wireshark.
    | But again, not my responsibility. I only have to fix the svchost.exe
    | crashes.

    | --
    | Amedee Van Gasse

    And thsu I can't help you :-(
     
    David H. Lipman, Nov 3, 2009
    #6
  7. From: "Virus Guy" <>


    | That is a two-year-old backdoor trojan.

    Not neccesarily as it is a Generic IRCBot detection. Thus it can be new but placed under
    a generic detection name.
     
    David H. Lipman, Nov 3, 2009
    #7

  8. Correct. Symantec told us that so many variants of Fake AV are created every
    week,
    that it is a challenge for any AV MFR to keep up. Many new variants are
    being flagged
    simply as Fake AV alert. But now I see there is a generation associated with
    the alerts.

    --
     
    The Central Scrutinizer, Nov 4, 2009
    #8
  9. So just exactly how is it that so many PC's on your site have no AV
    protection? I mean I almost find it offensive that your company is
    so irresponsible in it's responsibility and you have the nerve to post
    here looking for help. I'm just saying...

    "This is the CENTRAL SCRUTINIZER...it is my responsibility to enforce
    all the laws that haven't been passed yet. It is also my responsibility to
    alert each and every one of you to the potential consequences of various
    ordinary
    everyday activities you might be performing which could eventually lead to
    *The Death Penalty* (or affect your parents' credit rating). Our criminal
    institutions are full of little creeps like you who do wrong things...and
    many of them were driven to these crimes by a horrible force called MUSIC!"
     
    The Central Scrutinizer, Nov 4, 2009
    #9
  10. Amedee Van Gasse

    Virus Guy Guest

    The Central Scrutinizer top-poasted:
    AV likely wouldn't have helped and really wasn't needed in this case.

    What was needed was a few strategic MS patches being applied in a timely
    manner (if not the constant application of windows update) and the
    windows firewall being turned on.

    The organization in question (a major European steel producer and
    exporter based in Belgium) has a misguided and out-right bone-head idea
    of how MS windows security patches might affect their plant operations
    and systems. Now they will suffer the costs and hit to productivity
    because of their idiocy as they hire outside consultants. Their
    stupdity continues as they allow the consultants to only partially
    repair the damage.
     
    Virus Guy, Nov 4, 2009
    #10
  11. From: "The Central Scrutinizer" <>



    | Correct. Symantec told us that so many variants of Fake AV are created every
    | week,
    | that it is a challenge for any AV MFR to keep up. Many new variants are
    | being flagged
    | simply as Fake AV alert. But now I see there is a generation associated with
    | the alerts.

    Yes. Coming up with new names with variant numerations has become a problem. Thus many
    fall under family names or generic detection names.

    When I was examining Zlob trojans (the predessors of FakeAlerts in the SmitFraud) that
    came in so-called CODECS, I would see so many you can't create a different variant name
    for them.

    It used to be that you with have a naming convention such as; type/family.class.variant
    In this case W32/IRCBot.gen.b
    So it is a Win32 type, of the family IRCBot, of the GENERIC class of variant B

    Variants would go; .a ~ .z
    then, .aa ~ .az --> .ba ~ .bz , yada, yada..

    With the same source being recompiled, re-packaged, etc there are just too many variations
    so there just classed to families.
    Take a C compiled EXE. Now pack it using UPX, or Yoda, or PECompact... Then you may
    make it using a cryptor.

    Its mind boggling.
     
    David H. Lipman, Nov 4, 2009
    #11
  12. From: "Virus Guy" <>

    | The Central Scrutinizer top-poasted:

    | AV likely wouldn't have helped and really wasn't needed in this case.

    | What was needed was a few strategic MS patches being applied in a timely
    | manner (if not the constant application of windows update) and the
    | windows firewall being turned on.

    | The organization in question (a major European steel producer and
    | exporter based in Belgium) has a misguided and out-right bone-head idea
    | of how MS windows security patches might affect their plant operations
    | and systems. Now they will suffer the costs and hit to productivity
    | because of their idiocy as they hire outside consultants. Their
    | stupdity continues as they allow the consultants to only partially
    | repair the damage.

    Yes and better Border-Gateway protection !
     
    David H. Lipman, Nov 4, 2009
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.