Threat Description

Backdoor:​W32/IRCBot.AAS

Details

Aliases: Backdoor.Win32.IRCBot.AAS
Category: Malware
Type: Backdoor
Platform: W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



This IRCBot connects to an IRC server at dark.bestunix.org, where it waits for commands from a remote user. The bot is controlled via messages sent to it.

Installation

Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:

  • algose32.exe

This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.

On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:

  • http://www.emr3.net/p[...].exe.

The file downloaded is detected as Backdoor.Win32.IRCBot.WT.

Activity

This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.

To be able to gain access to the backdoor, the remote user must login to the channel and type the password:

When successfully logged in to the BOT, the remote user can do the following IRC commands:

  • Joins/Part an IRC channel
  • Send private/channel messages
  • Change the BOT's nick
  • Quits the IRC server.
  • Checks the BOT's ID and version.
  • Check the up-time of the BOT
  • Logout from the BOT.
  • Update the BOT.

The remote user can also perform the following system commands:

  • Opens/Executes/Downloads files.
  • Port scanning.
  • Access files through a Shell.
  • List/Terminate processes.

Registry

This program creates the following registry key as its auto-start technique:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"

Note: %systemdir% is typically "C:\Windows\system32".






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More