IRC-Worm.DOS.Kazimas

Class IRC-Worm
Platform DOS
Description

Technical Details

This is an IRC virus-worm that spreads itself via mIRC channels. It appears
as a MILBUG_A.EXE DOS EXE file about 10Kb in length. When it is executed,
it copies itself to several disk directories under different names:


C:WINDOWSKAZIMAS.EXE
C:WINDOWSSYSTEMPSYS.EXE
C:ICQPATCH.EXE
C:MIRCNUKER.EXE
C:MIRCDOWNLOADMIRC60.EXE
C:MIRCLOGSLOGGING.EXE
C:MIRCSOUNDSPLAYER.EXE
C:GAMESSPIDER.EXE
C:WINDOWSFREEMEM.EXE

The worm then infects the installed mIRC client in the C:MIRC directory:
it creates a new script file SCRPT.INI and overwrites the MIRC.INI
configuration file. If the mIRC client is installed in any other path, the
worm fails to infect it.

The worm modifies the MIRC.INI files that customize the mIRC client. There
are several options set, for instance a user’s identity is set to “kazimas”, and
the additional script file SCRPT.INI is included in auto-run scripts.

The SCRPT.INI file, that is dropped by the worm, contains several
instructions that switch a user to the “Chat2K” channel, send messages to
there, and the most important: send to the channel the worm copy (the
C:WINDOWSKAZIMAS.EXE file).

The worm also overwrites the C:AUTOEXEC.BAT file with instructions that
restore worm’s copies (if they are erased) and execution:


@copy c:windowssystempsys.exe c:windowskazimas.exe >nul
@copy c:windowskazimas.exe c:kazimas.exe >nul
@c:kazimas.exe >nul
@cls

Find out the statistics of the threats spreading in your region