Worm.Brepibot.D

The e-mail message contains the trojan in the attachment. This is 12800 bytes long, and connects to predefined IRC servers, accepting potentialy new components.

VirusBuster products offer detection and removal of this trojan with database update 9.21.2 (8.1216) or higher.

This trojan was seeded in e-mail messages. The messages containd the 12800 bytes long trojan packed in a ZIP archive.

The subject of the messages was the following:

Campus Life

And the body:

Hello,

We are planning to include you in the new campus magazine in an article titled "Campus Life". Can you approve the photo and article for us before we go to printing please?

If any details are wrong then we can amend before printing on Wednesday the 1st of July so please get back to us as soon as possible. We have attached the photo and article here.

Many Thanks & Best Regards,

Joseph Hope
Editor

The trojan copies itself into the %System% folder and registers for starup using the key

"ProtocolModuleCmd"="svchon32.exe"

under the locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It attempts to terminate several security and antivirus products.

Connects to a list of IRC servers to recevie commands from them. Using these commands the attacker can download and execute further components.

The manual removal of the virus can be accomplished be deleting the created files and restoring the modified registry settings.