Tech Tips Home
The Best Tech Tips And Daily Deals
Newsletter On The Internet!

WorldStart Tech Tip And Store Search
Email: Password: Login Remember Me
looking for freeware

Like what you see here? Subscribe to the Tech Tips newsletter!   Email: Subscribe


Thursday, September 15th, 2005 by | Filed Under: Security Help

There’s a nasty virus out there, the W32IRCBot.Worm. It’s an Internet Relay Chat-based virus that takes advantage of unpatched Windows systems via the MS05-039 vulnerability.

The Worm received a High security risk assessment from McAfee when it was initially discovered on the 17 August 2005 due to prevalence. The next day the virus was downgraded to a Medium security risk due a decline in the rapid infections, but still warns that this is a serious threat to unpatched systems.

The W32IRCBot can scan systems looking for any that are unpatched and creates a buffer overflow that allows the attacker to write files to windows using the TFTP (Trivial File Transfer Protocol) using port 8594. The Worm writes a file to the Windows directory (C:\Windows\System32\ on Win XP) with the file name of as WINTBP.EXE along with the registry key …
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “wintbp.exe”
… that tells the system to launch the Worm on Windows startup. Since this Worm is an IRCBot, once the virus has infected a system it attempts to contact it’s server and wait for further instructions.

* Learn more about web bots here…

A tell tale sign of infection is your system rebooting for no apparent reason and possible system performance degradation. If you do become infected you can remove the virus with the Mcafee Stinger, a downloadable virus removal tool—get it here…

To avoid infection altogether you may want to make sure that your Windows exploit (MS05-039) is patched by performing a Windows update. Along with this, of course, you should confirm that you have the latest Dat files or updates from your anti-virus vendor, which will help the application spot and hopefully remove the virus from your system. One more line of defense if you run a firewall is to shut down the port the virus attempts to enter from, Port 8594—this should essentially “lock the door” to any attempts to infect your system.

Stay safe out there,

~ Chad Stelnicki

Leave a Reply

Like these tips? Get them for FREE in your email!

WorldStart's Tech Tips Newsletter

  • Tech Tips Daily - Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

  • Tech Tips Weekly - If you don't want our Tech Tips newsletter every day, then sign up for this weekly newsletter to get the best information of the week. Sent on Fridays.

Other Newsletters

  • WorldStart's Daily Deals - Every week, we send out great deals in our Daily Deals newsletter. Many of these deals are exclusively for our Daily Deals newsletter subscribers and can't be found with our regular specials.

  • Just For Grins - Each issue includes a couple clean jokes, some funny quotes, and a hilarious reader's story. Newsletter is sent five days a week.

Enter Email Address:


Your e-mail address is safe with us!
We only use it to send you the newsletters you request. It is NEVER disclosed to a third party for any reason, ever! Plus, if you decided you don't like our newsletters (don't worry, you'll love them), unsubscribing is fast and easy.

Free Newsletter Signup

Tech Tips Daily

Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

Tech Tips Weekly

The week's best in tech and computer help. Get your issue sent to your email every Friday!

WorldStart's Daily Deals

The very best deals on the Internet! Get a new set of incredible sales every day of the week!

Just For Grins

Clean jokes, funny quotes, and hilarious comics. Sent 5 times a week straight to your email.


Love Worldstart? Refer A Friend!

looking for freeware
WorldStart's Premium Membership

Tip Archive