Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/IRCBot.AAS


Aliases:


Backdoor.Win32.IRCBot.AAS

Malware
Backdoor
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

This IRCBot connects to an IRC server at dark.bestunix.org, where it waits for commands from a remote user. The bot is controlled via messages sent to it.


Installation

Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:

  • algose32.exe

This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.

On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:

  • http://www.emr3.net/p[...].exe.

The file downloaded is detected as Backdoor.Win32.IRCBot.WT.


Activity

This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.

To be able to gain access to the backdoor, the remote user must login to the channel and type the password:

When successfully logged in to the BOT, the remote user can do the following IRC commands:

  • Joins/Part an IRC channel
  • Send private/channel messages
  • Change the BOT's nick
  • Quits the IRC server.
  • Checks the BOT's ID and version.
  • Check the up-time of the BOT
  • Logout from the BOT.
  • Update the BOT.

The remote user can also perform the following system commands:

  • Opens/Executes/Downloads files.
  • Port scanning.
  • Access files through a Shell.
  • List/Terminate processes.

Registry

This program creates the following registry key as its auto-start technique:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"

Note: %systemdir% is typically "C:\Windows\system32".







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free