pátek 24. února 2012

Backdoor:Win32/IRCbot


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Aug 22, 2007

Aliases
  • Backdoor:Win32/IRCbot!8497 (Microsoft)
  • Win32/Checkout.A (CA)
  • Backdoor.Win32.IRCBot.aaq (Kaspersky)
  • W32/Checkout (McAfee)
  • W32/IRCBot-WB (Sophos)
  • W32.Mubla (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Backdoor:Win32/IRCbot is a Trojan that connects to an Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot also includes the ability to send itself to MSN Messenger contacts.


 

Symptoms

The following symptoms may be indicative of a Backdoor:Win32/IRCbot!751D infection:
  • Presence of the file "syshosts.dll" in the Windows system folder
  • Presence of the file "photos.zip" in the Windows folder
  • Presence of the following registry keys and values:
    HKEY_CLASSES_ROOT\CLSID\{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}\InProcServer32\
    "@" = syshosts.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "syshosts" = "{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}"


 

Technical Information (Analysis)

Backdoor:Win32/IRCbot is a Trojan that connects to a remote Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot also includes the ability to send itself to MSN Messenger contacts.
 
Backdoor:Win32/IRCbot may be installed by Backdoor:Win32/IRCbot!8497, a 32-bit PE executable. When the installer is run, it performs the following actions:
  • Drops a file 'syshosts.dll' into the Windows system folder. This file may be detected as Backdoor:Win32/IRCbot!751D.
  • Modifies the registry run this file when Windows is started:
    Adds value: syshosts
    With data: {5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}
    To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    Adds value: @
    With data: syshosts.dll
    To subkey:
    HKEY_CLASSES_ROOT\CLSID\{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}\InProcServer32\
  • Lastly, IRCbot!8497 drops a .ZIP copy of itself into the Windows folder as "photos.zip".
 
When Backdoor:Win32/IRCbot!751D (syshosts.dll) runs, it performs the following actions:
  • Connects to a remote IRC server to receive command instructions
  • Awaits command instructions which could include spreading to other computers using MSN Messenger communication protocol
  • Backdoor:Win32/IRCbot!751D may send a copy of itself to all MSN Messenger contacts, using an attachment named 'photos.zip' and one of the following messages:

    Here are my private pictures for you
    Here are my pictures from my vacation
    My friend took nice photos of me.you Should see em loL!
    its only my photos!
    Nice new photos of me and my friends and stuff and when i was young lol…
    Nice new photos of me!! :p
    Check out my sexy boobs :D
    hey regarde mes tof!! :p
    ma soeur a voulu que tu regarde ca!
    hey regarde les tof, c'est moi et mes copains entrain de.... :D
    j'ai fais pour toi ce photo album tu dois le voire :)
    tu dois voire ces tof
    mes photos chaudes :D
    c'est seulement mes tof :p
    zijn enige mijn foto's
    wanna Hey ziet mijn nieuw fotoalbum?
    indigde enkel nieuw fotoalbum! :)
    hey keurt mijn nieuw fotoalbum goed.. :p
    Hey be
    indigde enkel nieuw fotoalbum! :)
    het voor yah, doend beeldverhaal van mijn leven lol..
    meine hei
    en Fotos ! :p
    meine hei
    le mie foto calde :p
    mis fotos calientes
    mi fotograf
    as :p
    Mi amigo tom
    las fotos agradables de m
    mis fotos calientes
    el lol mi hermana quisiera que le enviara este
    album de foto

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.