Tools
Backdoor:W32/IRCBot.AAS
Summary
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Installation
Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:
- algose32.exe
This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.
On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:
- http://www.emr3.net/p[...].exe.
The file downloaded is detected as Backdoor.Win32.IRCBot.WT.
Activity
This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.
To be able to gain access to the backdoor, the remote user must login to the channel and type the password:
When successfully logged in to the BOT, the remote user can do the following IRC commands:
- Joins/Part an IRC channel
- Send private/channel messages
- Change the BOT's nick
- Quits the IRC server.
- Checks the BOT's ID and version.
- Check the up-time of the BOT
- Logout from the BOT.
- Update the BOT.
The remote user can also perform the following system commands:
- Opens/Executes/Downloads files.
- Port scanning.
- Access files through a Shell.
- List/Terminate processes.
Registry This program creates the following registry key as its auto-start technique:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse = "%systemdir%\algose32.exe" - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse = "%systemdir%\algose32.exe"
Note: %systemdir% is typically "C:\Windows\system32".