Worm.Win32.IRCBOT.SDY

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

它植入AUTORUN.INF文件，当用户访问受感染系统的驱动器时，自动执行植入的副本。

它连接到IRC（Internet中继聊天）服务器。 However, as of this writing, the said sites are inaccessible.

它在受感染计算机上收集特定信息。

它连接到某个网站，发送和接收信息。

新病毒详细信息

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

安装

它使用不同的文件名在下列文件夹中植入自身的副本：

• If OS is Windows XP or older:
  • %ProgramFiles%\CommonFiles\AdobeARM.exe → File attribute is set to system, hidden, readonly
• If OS is Windows 7 or newer:
  • %Application Data%\AdobeARM.exe → File attribute is set to system, hidden, readonly
• {Removable or Remote Drive}\RECYCLER\{SID}\Autorunme.scr → File attribute is set to system, hidden, readonly

(注意: %Application Data% 是当前用户的 Application Data 文件夹，通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT)、C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)、XP 和 Server 2003(32-bit)) 和 C:\Users\{user name}\AppData\Roaming (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit))。)

它植入下列文件：

• {Removable or Remote Drive}\RECYCLER\{SID}\Desktop.ini → File attribute is set to system, hidden, read only
• {Removable or Remote Drive}\autorun.inf → File attribute is set to system, hidden, read only

它添加下列进程：

• If OS is Windows XP or older:
  • %ProgramFiles%\CommonFiles\AdobeARM.exe {Malware PID} {Malware File Path}\{Malware File Name}
• If OS is Windows 7 or newer:
  • %Application Data%\AdobeARM.exe {Malware PID} {Malware File Path}\{Malware File Name}

(注意: %Application Data% 是当前用户的 Application Data 文件夹，通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT)、C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)、XP 和 Server 2003(32-bit)) 和 C:\Users\{user name}\AppData\Roaming (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit))。)

它创建下列将属性设置为“系统”和“隐藏”的文件夹，以防止用户发现并移除其组件:

• {Removable or Remote Drive}\RECYCLER
• {Removable or Remote Drive}\RECYCLER\{SID}

它添加下列互斥条目，确保一次只会运行一个副本：

• routerpccw
• pccwstormlite
• pccwlite

自启动技术

它添加下列注册表项，在系统每次启动时自行执行：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows XP or older)
Adobe ARMS = %ProgramFiles%\CommonFiles\AdobeARM.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows 7 or newer)
Adobe ARMS = %Application Data%\AdobeARM.exe

其他系统修改

它修改下列文件：

• If OS is Windows XP or older:
  • %System%\drivers\tcpip.sys

(注意: %System% 是 Windows 的 system 文件夹，通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。)

它添加下列注册表项作为其安装例程的一部分:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows XP or older)
Patches = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List (If OS is Windows XP or older)
%Program Files%\Common Files\AdobeARM.exe = %Program Files%\Common Files\AdobeARM.exe:*:Enabled:Adobe ARMS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters (If OS is Windows XP or older)
TcpNumConnections = 0x00FFFFFE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Dnscache\Parameters (If OS is Windows XP or older)
MaxCacheTtl = 0x00000708

它修改下列注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoFolderOptions = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoFolderOptions = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
SuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

传播

它植入AUTORUN.INF文件，当用户访问受感染系统的驱动器时，自动执行植入的副本。

上述的 .INF 檔案含有下列字串：

[autorun]
{garbage code}
USEAUTOPLAY=1
open=RECYCLER\{SID}\autorunme.scr
{garbage code}
action=Open folder to view files
{garbage code}
shell\open=Open
shell\open\command=RECYCLER\{SID}\autorunme.scr
shell\open\default=1
{garbage code}

后门例程

它连接到下列任一IRC（Internet中继聊天）服务器：

• tcp://{BLOCKED}opto.org:7562

However, as of this writing, the said sites are inaccessible.

信息窃取

它在受感染计算机上收集以下信息：

• OS version
• Computer name
• Locale Info

其他详细信息

它连接到下列网站，发送和接收信息：

• tcp://{BLOCKED}.0:71

该程序执行以下操作：

• It terminates itself if the following checks if it is running in a sandbox or virtual environment is successful:
  • Loads sbiedll.dll.
  • Checks if username is CurrentUser.
  • Execute an instruction that will raise an exception in virtual machines.
• It terminates itself if it detects that it is being debugged.
• It injects code into explorer.exe that will start the malware if it is terminated.
• Based on code analysis, it has the capability to download files from its server and terminate processes.