Weekly Virus Report – IRC.Sx2 Trojan, Graps and Ronoper.B Worms

This week’s report focuses on a Trojan called IRC.Sx2 and two worms, Graps and Ronoper.B.

IRC.Sx2 is a backdoor type Trojan that follows the transmission routine below:

– A file called ‘MSDOS.EXE’ reaches computers through any of the normal means used by viruses: IRC, CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.
– When the ‘MSDOS.EXE’ file is run, it connects to a web page and downloads a file called ‘SX.EXE’ and runs it. This file contains the Trojan’s code.

IRC.Sx2 allows the computer to be controlled remotely through a series of IRC files and scripts. There are different versions of this malicious code and some of them are programmed to carry out DoS attacks.

The second malicious code is Graps, a worm that spreads across networks. In order to do this, it tries to access the ADMIN$ share in the remote computer using a combination of commonly-used user names and passwords, such as, admin, 123, etc.

Graps allows a hacker to gain remote access to the infected computer, and carry out actions the could compromise the confidentiality of user data. Grasp allows the hacker to obtain information on RAM, download speed, disk usage, etc. and download or run files or IRC functions, etc.

Ronoper.B is a worm that spreads rapidly via e-mail, the P2P (peer-to-peer) file sharing program KaZaA and IRC chat channels. When it has infected a computer, Ronoper.B sends itself out to all the contacts in the Outlook Address Book. In addition, it ends active processes belonging to antivirus and firewall programs in the affected computer.