Visit my Linktree to access my socials and other channels: linktr.ee/mausolfb
-----------------------------------------------------------
. Revisiting the Fagot mIRC worm as the last video on this malware didnt get very far • Viral Rewind: IRC-Worm... ... Fagot (yes that is its given name by researchers from part of what the worm does to the user's username) does quite a bit of damage to a computer... not necessarily all files but it does delete and replace many key Windows programs with copies of itself and for the most part wrecks the Windows registry. I only had ~10 minutes left of time on my camera so my XP version had to be rushed a bit...
It all starts when a mIRC user receives the following message in their mIRC client:
"www.angelfire.com/celeb2/picsx... <- uuh, check it out !! :D"
If the user clicked the link it would download not a picture of Britney but actually an HTML file that opened in Internet Explorer that was embedded with downloader/run scripts. It would download a file called "PATCH.EXE" and overwrite Windows Media Player with said file. A following script would then run the executable file.
At launch the worm first kills the following processes so their programs can be deleted and overwritten later:
Ad-watch.exe
regedit.exe
taskmgr.exe
It will then make two copies of itself in the system32 directory with corresponding run keys in the Windows registry (to support Windows NT and 9X versions):
C:\Windows\system32\userinit32.exe
C:\Windows\system32\dllhost32.exe
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit" = "C:\Windows\system32\userinit32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "dllhost32" = "C:\Windows\system32\dllhost32.exe"
It then searches and kills many different anti-virus/malware processes if they're present...
At this point it begins to alter and change items as no programs would be running to try and stop its infection and spread. It first changes the start page of Internet Explorer to "www.blacksnake.com"
It will then alter the default Windows usernames to "COCK_SUCKING_FAGGOT" (which is where the name stems from)
Afterwards it deletes many key Windows programs (mostly from the system32 folder) if they are present. Then it makes copies of itself replacing most of the deleted Windows programs in their original locations with original names. Then it will delete several entire key branches from the Windows registry. Lastly it displays a fake error messagebox when all is completed
It will periodically send the same aforementioned mIRC message to other mIRC users on the machine spreading itself and starting the routine over on another machine.
If you want all the details of the files that are deleted, replaced and the registry branches that are deleted then visit F-Secure's page about it here: www.f-secure.com/v-descs/fago...
#malware #windows #worm #win9x #win32 #winnt #irc
----------------------
Like the Facebook page: / brian.mausolf
Follow me on Twitter: / mausolfb