1. Technical report
IRC virus integrates the functions of hacker, worm and backdoor, spreading through LAN shared directories and system bugs. The virus takes simple command dictionary, if user doesn’t set password or the password set is too simple, then system is quite easy to get affected by viruses.
After the virus runs, it would copy itself to system directory (for Win 2K/NT/XP operating systems, it’s system32 under system partition; for Win9X, it’s system under system partition), the file property is hidden, the name is not settled. Here we suppose xxx.exe, generally there’s no icon. The virus writes into registry boot item meanwhile, the item name is not settled, supposing yyy here. Different viruses have different boot items written, but definitely all including this item:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\yyy : xxx.exe
There’s also other possible item written:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ yyy : xxx.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ yyy : xxx.exe
Also rare one might write these two items as below:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\yyy : xxx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\yyy : xxx.exe
Besides, some IRC viruses would register themselves as service boot-up in Win2K/NT/XP system.