Wabot is a IRC worm that changes some settings in the system. It targets Microsoft Windows users.


Company Names Detection Names
EMSI Software Backdoor.Wabot.A (B)
Ahnlab Worm/Win32.IRCBot
Avast Win32:Wabot
AVG (GriSoft) BackDoor.Wabot.A (Trojan horse)
Avira TR/Dldr.Delphi.Gen
Kaspersky Backdoor.Win32.Wabot.a
BitDefender BackDoor.Wabot.A
ClamAV and ClamWin Trojan.Wabot
Dr.Web Trojan.MulDrop2.11051
F-Prot W32/Heuristic-400!Eldorado
FortiNet W32/Wabot.A!tr
McAfee W32/Wabot
Microsoft Backdoor:Win32/Wabot.A
Symantec Trojan.Gen
ESET Win32/Delf.NRF worm
Norman W32/Delf.FHWF
Panda Backdoor Program
Rising Backdoor.Win32.Wabot.a
Sophos Troj/Luiha-M
vba32 BackDoor.Wabot.A
V-Buster Backdoor.Wabot!AWDH2njzaiI (trojan)
Vet (Computer Associates)



Wabot drops two files in the System folder, "sIRC4.exe" and "marijuana.txt" (Marijuana leaf in ASCII art format). It sets the value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" to "explorer.exe sIRC4.exe", in such a manner that the virus can run at startup. It searches for BAT, SCR, COM, PIF and CMD files in every folder. When the virus finds one file, the virus will overwrite it. It tries to be of the same size as the file, increasing and decreasing itself. After that, it will copy the file to System folders "DC++ Share" and "xdccPrograms", in a P2P manner.

After that, the virus connects to "" with a random username. It searches for groups ("#hellothere", every group with "mp3" and "xdcc" in the title) and tries to broadcast malicious messages to these groups.