W32/Darker.worm!p2p

McAfee users were proactively protected from this threat under the following conditions (detection name New Malware.b, or New BackDoor):

• 4.2.40+ scan engine in use
• 4245 - 4302 DATs files
• program heuristics enabled
• compressed file scanning enabled (default)

This worm spreads via several popular peer-to-peer applications.  It also acts as an Internet Relay Chat bot, accepting commands from a remote attacker.

When run, the worm copies itself to the WINDOWS directory, as svchost.exe , and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "ServiceProcess"  = C:\WINDOWS\svchost.exe

It contacts the IRC server gotroot.darktech.org , joins a specified channel, and awaits further commands.  Such commands provide a remote attacker the ability to perform various tasks, such as:

• ping
• IRC functions
• find, delete, download, and execute files
• configure internal proxy server
• kill ant-virus processes
• spread via email
• initiate a denial of service attack

When instructed, the worm can send itself to addresses found in email folders, via MAPI, with the following information:

Subject: Microsoft Windows OutLook Express urgent updates
Body: There is a new virus spreading called Win32.darkirc virus. This email was sent to you as a precaution as ur version of OutLook Express has not been updated. Patch available attached to the email
Attachment: Av_patch.exe

The worm has the ability, when instructed, to terminate the following running processes:

• ACKWIN32.EXE
• ADVXDWIN.EXE
• AGENTSVR.EXE
• AHNSD.EXE
• ALERTSVC.EXE
• ALOGSERV.EXE
• AMON9X.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTODOWN.exe
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVCONSOL.EXE
• AVGCC32.EXE
• AVGCTRL.EXE
• AVGSERV.EXE
• AVGSERV9.EXE
• AVGW.EXE
• AVKPOP.EXE
• AVKSERV.EXE
• AVKSERVICE.EXE
• AVKWCL9.EXE
• AVKWCTL9.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPEXEC.EXE
• AVPINST.EXE
• AVPM.EXE
• AVPUPD.EXE
• AVRESCUE.EXE
• AVSYNMGR.EXE
• AVSYNMGR.exe
• AVWINNT.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE
• AVXQUAR.EXE.EXE
• AVXW.EXE
• AckWin32.exe
• Alerter
• AutoDown.exe
• AutoTrace.exe
• AvSynMgr
• AvgServ
• Avgctrl.exe
• AvkServ.exe
• Avsched32.exe
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• BORG2.EXE
• BS120.EXE
• BlackICE.exe
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLAW95.EXE
• CLAW95CF.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CONNECTIONMONITOR.EXE
• CPD.EXE
• CPDCLNT.EXE
• CPDClnt.exe
• CPF9X206.EXE
• CPFNT206.EXE
• CSINJECT.EXE
• CSINSM32
• CSS 1631.EXE
• CTRL.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• Claw95.exe
• Claw95cf.exe
• DEFSCANGUI.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DOORS.EXE
• DPF.EXE
• DRWATSON.EXE
• DRWEB32.EXE
• DVP95.EXE
• DVP95_0.EXE
• EFPEADM.EXE
• EFPEADM.exe
• ENT.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• ETRUSTCIPE.EXE
• ETRUSTCIPE.exe
• EVPN.EXE
• EVPN.exe
• EXANTIVIRUS-CNET.EXE
• EXPERT.EXE
• F-AGNT95.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FIH32.EXE
• FIREWALL.EXE
• FIX-IT.EXE
• FLOWPROTECTOR.EXE
• FNRB32.EXE
• FP-WIN.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAA.EXE
• FSAV.EXE
• FSAV32.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• FSAVE32.EXE
• FSGK32.EXE
• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• FWENC.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GENERICS.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IAMSTATS.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFACE.EXE
• IFW2000.EXE
• IOMON98.EXE
• IPARMOR.EXE
• IRIS.EXE
• ISRV95.EXE
• JAMMER.EXE
• JEDI.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDNETMON.EXE
• LDPRO.EXE
• LDPROMENU.EXE
• LDSCAN.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• LUALL.EXE
• LUAU.EXE
• LUCOMSERVER.EXE
• LUINIT.EXE
• LUSPT.exe
• MCAGENT.EXE
• MCMNHDLR.EXE
• MCSHIELD.EXE
• MCTOOL.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• MGHTML.EXE
• MGUI.EXE
• MINILOG.EXE
• MONITOR.EXE
• MONSYS32.EXE
• MONSYSNT.EXE
• MONWOW.EXE
• MOOLIVE.EXE
• MPFAGENT.EXE
• MPFSERVICE.exe
• MPFTRAY.EXE
• MRFLUX.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• MWATCH.EXE
• MWATCH.exe
• MXTASK.EXE
• Mcshield.exe
• Monitor.exe
• NAV Auto-Protect
• NAV80TRY.EXE
• NAVAP
• NAVAPSVC.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVENG
• NAVENGNAVEX15
• NAVEX15
• NAVLU32.EXE
• NAVRUNR.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NC2000.EXE
• NCINST4.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NEOWATCHLOG.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NETUTILS.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NPSSVC.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NTXCONFIG.EXE
• NTXconfig.exe
• NUI.EXE
• NVARCH16.EXE
• NVC95.EXE
• NVLAUNCH.EXE
• NVSVC32
• NWINST4.EXE
• NWSERVICE.EXE
• NWService.exe
• NWTOOL16.EXE
• Navw32.exe
• NeoWatchLog.exe
• Nui.EXE
• Nupgrade.exe
• OFFGUARD.EXE
• OSTRONET.EXE
• OUTPOST.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCCLIENT.EXE
• PCCGUIDE.EXE
• PCCIOMON.EXE
• PCCNTMON.EXE
• PCCPFW
• PCCWIN97.EXE
• PCCWIN98.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PCSCAN.EXEPDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PERSWF.EXE
• PF2.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PORTMONITOR.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCESSMONITOR.EXE
• PROCEXPLORERV1.0.EXE
• PROGRAMAUDITOR.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV7.EXE
• RAV7WIN.EXE
• RAV8WIN32ENG.EXE
• REALMON.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• Rescue.exe
• SAFEWEB.EXE
• SBSERV.EXE
• SCAN32.EXE
• SCHEDAPP.EXE
• SCRSCAN.EXE
• SD.EXE
• SETUPVAMEEVAL.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SRWATCH.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• SUPPORTER5.EXE
• SWEEP95.EXE
• SWEEPSRV.SYS
• SWNETSUP.EXE
• SYMPROXYSVC.EXE
• SYMTRAY.EXE
• SYSDOC32.EXE
• SYSEDIT.EXE
• Sphinx.exe
• SweepNet
• SymProxySvc.exe
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TFAK.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• Tmntsrv
• UNDOBOOT.EXE
• UPDATE.EXE
• Uh`S@d
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCCMSERV.EXE
• VCSETUP.EXE
• VET32.EXE
• VET32.exe
• VET95.EXE
• VETTRAY.EXE
• VFSETUP.EXE
• VIR-HELP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC32.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSCHED.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• VVSTAT.EXE
• VbCons.exe
• Vet95.exe
• VetTray.exe
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• WEBTRAP.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• WIMMUN32.EXE
• WINRECON.EXE
• WINROUTE
• WINSFCM.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• WrAdmin.exe
• WrCtrl.exe
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• agentw.exe
• alogserv.exe
• apvxdwin.exe
• avkpop.exe
• avkservice.exe
• avkwctl9.exe
• avpm.exe
• blackd.exe
• ccApp.exe
• ccEvtMgr.exe
• ccPxySvc.exe
• cfgWiz.exe
• cleaner.EXE
• cleaner3.EXE
• cpd.exe
• defalert.exe
• defscangui.exe
• f-stopw.exe
• fameh32.exe
• fch32.exe
• fih32.exe
• fnrb32.exe
• fsaa.exe
• fsav32.exe
• fsgk32.exe
• fsm32.exe
• fsma32.exe
• fsmb32.exe
• gbmenu.exe
• gbpoll.exe
• iamapp.exe
• iamserv.exe
• lockdown2000.exe
• navapsvc
• navapsvc.exe
• netstat.exe
• notstart.exe
• npscheck.exe
• ntrtscan.EXE
• nvapsvc
• pathping.exe
• pavproxy.exe
• pccntmon.EXE
• pccwin97.EXE
• pcscan.EXE
• ping.exe
• rapapp.exe
• route.exe
• routemon.exe
• sbserv.exe
• sharedaccess
• tracerpt.exe
• tracert.exe
• vbcmserv.exe
• vsmon.exe
• zapro.exe
• zonealarm.exe

Unexpected TCP traffic on port 6667.

The worm copies itself to the following locations, within the C:\PROGRAM FILES\ directory:

• Morpheus\My Shared Folder\Adobe_crack_.exe
• Morpheus\My Shared Folder\live_f**k_tv(v2).exe
• Morpheus\My Shared Folder\Teen sex Having her breasts f**ked and bl**job.exe
• Morpheus\My Shared Folder\XP crack setup.exe
• Morpheus\My Shared Folder\Xmusic Ultimate porn , games , movies Search engine.exe
• Morpheus\My Shared Folder\Porn_Search_engine.exe
• Morpheus\My Shared Folder\crack_database(1000scracks).exe
• Morpheus\My Shared Folder\Mp3_Mixer(v3).exe
• Morpheus\My Shared Folder\Jay z - crazy in love.mov.exe
• Morpheus\My Shared Folder\PasswordCracker.exe
• Morpheus\My Shared Folder\SlimShady Game.exe
• Morpheus\My Shared Folder\Dmx - Who the let the dogs out(funny).exe
• Morpheus\My Shared Folder\HotMail_password_hack(NEW!!!).exe
• Morpheus\My Shared Folder\PornWebsite_Pass_crack_v1.23beta.exe
• Morpheus\My Shared Folder\Msn_instant_messager_pass_crack.exe
• Morpheus\My Shared Folder\Password_cracker(doesnt_work_on_nt).exe
• KaZaA\My Shared Folder\HotMail_password_hacker.exe
• KaZaA\My Shared Folder\Crackdatabase(1000scracks).exe
• KaZaA\My Shared Folder\Porn_Search_engine.exe
• KaZaA\My Shared Folder\Adobe_crack_.exe
• KaZaA\My Shared Folder\Tit_test(Porn_game).exe
• KaZaA\My Shared Folder\Kill backstreet boys(Eminem game).exe
• KaZaA\My Shared Folder\Jenna jameson Tit f**k Sex Ultimate porn movie.mpeg.exe
• KaZaA\My Shared Folder\Mp3_Mixer.exe
• KaZaA\My Shared Folder\PassWordCracker.exe
• KaZaA\My Shared Folder\Hotmail_Hacker.exe
• KaZaA\My Shared Folder\DjSoftware.exe
• KaZaA\My Shared Folder\Hot Pink P**sy Very tight chick f**king her boyfriend on the bed. Great sex clip.exe
• KaZaA\My Shared Folder\Windows Xp Crack.exe
• KaZaA\My Shared Folder\Teen f**king hard.avi.exe
• KaZaA\My Shared Folder\Mp3Mixer(good).exe
• KaZaA\My Shared Folder\PornWebsite_Pass_crack_v1.23beta.exe
• KaZaA\My Shared Folder\Msn_instant_messager_pass_crack.exe
• KaZaA\My Shared Folder\Password_cracker(doesnt_work_on_nt).exe
• Grokster\My Grokster\HotMail_password_hacker(NEW!!!).exe
• Grokster\My Grokster\Porn_search_engine(2003edition).exe
• Grokster\My Grokster\Crack_hack_database(1000sCracksHacks).exe
• Grokster\My Grokster\Adobe_crack_.exe
• Grokster\My Grokster\Half_life_walk_through_walls_proxy.exe
• Grokster\My Grokster\Mp3_Mixer_.exe
• Grokster\My Grokster\HalfLife.exe
• Grokster\My Grokster\Windows Xp crack.exe
• Grokster\My Grokster\PornWebsite_Pass_crack_v1.23beta.exe
• Grokster\My Grokster\Msn_instant_messager_pass_crack.exe
• Grokster\My Grokster\Password_cracker(doesnt_work_on_nt).exe
• KaZaA Lite\My Shared Folder\HotMail_password_hacker(NEW!!!).exe
• KaZaA Lite\My Shared Folder\Crackdatabase(1000scracks).exe
• KaZaA Lite\My Shared Folder\Porn_Search_engine.exe
• KaZaA Lite\My Shared Folder\Adobe_crack_.exe
• KaZaA Lite\My Shared Folder\Jenna jameson Tit f**k Sex Ultimate porn movie.mpeg.exe
• KaZaA Lite\My Shared Folder\Mp3_Mixer.exe
• KaZaA Lite\My Shared Folder\dr dre & nwa - f**k the police.mp3.exe
• KaZaA Lite\My Shared Folder\britney spears tit game (funny as hell).exe
• KaZaA Lite\My Shared Folder\Windows Xp Crack.exe
• KaZaA Lite\My Shared Folder\Asian-porn-finder.exe
• KaZaA Lite\My Shared Folder\PassWordCracker.exe
• KaZaA Lite\My Shared Folder\Hotmail_Hacker.exe
• KaZaA Lite\My Shared Folder\Xscan setup(Windows Hacker).exe
• KaZaA Lite\My Shared Folder\DjSoftware.exe
• KaZaA Lite\My Shared Folder\HalfLife Counter strike Auto Aim-v4.3.exe
• KaZaA Lite\My Shared Folder\Mp3Mixer(good).exe
• KaZaA Lite\My Shared Folder\Great Sex Movie Viewier NO Credit Cards (LESBIAN , HARDCORE , TEENSEX , F**K ,BL**JOB).exe
• KaZaA Lite\My Shared Folder\PornWebsite_Pass_crack_v1.23beta.exe
• KaZaA Lite\My Shared Folder\Msn_instant_messager_pass_crack.exe
• KaZaA Lite\My Shared Folder\Password_cracker(doesnt_work_on_nt).exe

This worm spreads primarily through KaZaa, Morpheus, Grokster, and KaZaa Lite, and secondarily through email (when instructed to do so).  When an infected file is run, the local machine becomes a host of the virus and IRC zombie system, carrying out the commands of a remote attacker.

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations