IRUN4.EXE
PROCESS INFORMATION
Process
Name : irun4.exe
Process
Path : %SYSTEM%\irun4.exe
[ C:\Windows\System32\irun4.exe]
Process
type : Internet
Worm
Malware
Name : W32.Bagle.J@mm
Alias : I-Worm/Bagle.J, W32/Bagle.J@MM
, Bagle.J, W32/Bagle-J, WORM_BAGLE.J
Threat
level : Low
Process
Details :
Irun4.exe is the main
component dropped by Bagle.J. It is
a mass mailing worm, uses e-mail addresses
collected from .wab .txt .htm .html .dbx .mdx .eml
.nch .mmf .ods .cfg .asp .php .pl .adb and
.sht files to distribute infected messages. Bagle worm arrives as an
e-mail attachment. The infected attachment will
be a password protected ZIP file or an executable
file with PIF extension. This variant will not
spread after 25th April 2004.
The
infected mail subject will be one of the
following
E-mail
account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
The
infected mail message body will contain one of
the following
"Our
main mailing server will be temporary unavaible
for next two days,
to continue receiving mail in these days you have
to configure our free
auto-forwarding service."
"Your e-mail account will be disabled
because of improper using in next
three days, if you are still wishing to use it,
please, resign your
account information."
"We warn you about some attacks on your e-mail
account. Your computer may contain viruses, in
order to keep your computer and e-mail account
safe, please, follow the instructions."
"Our antivirus software has detected a large
ammount of viruses outgoing from your email
account, you may use our free anti-virus tool to
clean up your computer software."
"Some of our clients complained about the
spam (negative e-mail content) outgoing from your
e-mail account. Probably, you have been infected
by a proxy-relay trojan server. In order to keep
your computer safe, follow the instructions."
When the worm file is
executed, it copies itself to Windows system
folder as "irun4.exe" in the
background. W32.Beagle.J@mm modifies registry run
section to load automatically on the next startup.
The registry modification is given below.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"srate.exe"= %SYSTEM%\irun4.exe
[
By default, %SYSTEM% will be C:\Windows\System in
case of Windows 95/98/ME, C:\Winnt\System32 in
case of Windows NT/2000 and C:\Windows\System32
in case of Windows XP ]
Bagle.J worm uses its own
SMTP engine to send infected messages. The worm
tries to terminate security programs in the
infected system. Bagle.J worm will not send
infected mails to the following e-mail addresses
.ch
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@
Bagle.J contains backdoor
abilities and it opens TCP port 2745. It allows
hackers to upload files in the infected computer.
Bagle.J tries to download a PHP script ( scr.php
) from the following sites
postertog.de
www.gfotxt.net
www.maiklibis.de
How can I protect my
system?
Solo has incorporated
irun4.exe in its signature file to protect users
from this worm attack. Solo antivirus registered
users are already protected from this Worm. Make
sure that you have installed registered version
of Solo Antivirus to protect your system from all
virus threats.
How
to remove this Worm?
If
you are already infected with irun4.exe process,
you can remove it from your computer using Solo
Antivirus software. Use the
following link to Download 30 day trial
version of Solo antivirus to remove
viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts, Trojans,
Backdoors, boot sector, partition table and macro
viruses.
You can
purchase Solo antivirus using the link 
|
