Email-Worm.Win32.Kromber

Class Email-Worm
Platform Win32
Description

Technical Details

This worm Trojan spreads via IRC channels, and is 3584 bytes in size.

Propagation

When launching, the worm checks for an active IRC client on the victim machine. If it finds this, the worm will send a link to a remote site to all accessible IRC channels by using the /amsg command:

 http://www.kromberg.at/[censored]/show.php?f=drunkchicks.jpg LOL

It also attempts to install this link as the name of a channel and comments to it.

If another user clicks on this link, the remote site will be contacted. This site contains a malcious VBS script (which will be detected by Kaspersky Anti-Virus as TrojanDropper.VBS.Inor.h). This will install and launch the worm’s executable file, named browsercheck.exe on the victim machine.