Weird one, or maybe not. IrcFlood

[Ka Khiong Kwok]

This one seems fun to deal with.
A bud of mine caught this one on his computer.
At start up it opens up multiple instances of what looks like mIRC boxes
*about 120 each time) and sucks up resources enough to kill the mouse.

Running VET, it's found the virus in a couple of files, one of them starting
with dc421 or something like that. The thing that I've also noticed was that
it there was also a file called x-x.exe and cryptus.* that seems to be
infected with something.

Problem is, I've already ran the virus scanner a couple of times and the
bugger still there.

I've checked that standard AV sites, checked for the standard registry
values and found nothing.

MInd you, I've probably missed something - had my girl on my mind (that's my
excuse and I'm sticking to it).

Anyway, any ideas?

I'm thinking there's more then one virus at work here.

Then again, there's so many variant of flood it makes things interesting if
you've only found out last minute.

Thanks.

Kind regards,

Ka Kwok

 

[David H. Lipman]

From: "Ka Khiong Kwok" <[email protected]>

| This one seems fun to deal with.
| A bud of mine caught this one on his computer.
| At start up it opens up multiple instances of what looks like mIRC boxes
| *about 120 each time) and sucks up resources enough to kill the mouse.
|
| Running VET, it's found the virus in a couple of files, one of them starting
| with dc421 or something like that. The thing that I've also noticed was that
| it there was also a file called x-x.exe and cryptus.* that seems to be
| infected with something.
|
| Problem is, I've already ran the virus scanner a couple of times and the
| bugger still there.
|
| I've checked that standard AV sites, checked for the standard registry
| values and found nothing.
|
| MInd you, I've probably missed something - had my girl on my mind (that's my
| excuse and I'm sticking to it).
|
| Anyway, any ideas?
|
| I'm thinking there's more then one virus at work here.
|
| Then again, there's so many variant of flood it makes things interesting if
| you've only found out last minute.
|
| Thanks.
|
| Kind regards,
|
| Ka Kwok
|



Please submit "x-x.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

Then it could be determined what you are up against and a good course of action.

 

[Nick FitzGerald]

This one seems fun to deal with.
A bud of mine caught this one on his computer.
At start up it opens up multiple instances of what looks like mIRC boxes
*about 120 each time) and sucks up resources enough to kill the mouse.

Running VET, it's found the virus in a couple of files, one of them starting
with dc421 or something like that. The thing that I've also noticed was that
it there was also a file called x-x.exe and cryptus.* that seems to be
infected with something.

Which IRCFlood variant did Vet say it found?

There has been a rash of new IRCFlood variants released the last few weeks
with typical MO being to host the .EXE on a (free) Romanian web site then
spew a spam-run with a URL pointing to the .EXE. If your friend (or
someone he lets use his computer) is dumb enough to click on such links
_AND_ then choose to execute such files, I'd suggest he would be damn
lucky if he only has IRCFlood on his machine...

Problem is, I've already ran the virus scanner a couple of times and the
bugger still there.

Tell us what variant Vet said it detected. What is the exact detection
report? With that information we should (well, "may") be able to work out
precisely what has been done to the machine by the IRCFlood installer and
thus explain what needs to be done to fix it.