A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
This IRCBot connects to an IRC server at dark.bestunix.org, where it waits for commands from a remote user. The bot is controlled via messages sent to it.
Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:
This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.
On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:
The file downloaded is detected as Backdoor.Win32.IRCBot.WT.
This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.
To be able to gain access to the backdoor, the remote user must login to the channel and type the password:
When successfully logged in to the BOT, the remote user can do the following IRC commands:
- Joins/Part an IRC channel
- Send private/channel messages
- Change the BOT's nick
- Quits the IRC server.
- Checks the BOT's ID and version.
- Check the up-time of the BOT
- Logout from the BOT.
- Update the BOT.
The remote user can also perform the following system commands:
- Opens/Executes/Downloads files.
- Port scanning.
- Access files through a Shell.
- List/Terminate processes.
This program creates the following registry key as its auto-start technique:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
Note: %systemdir% is typically "C:\Windows\system32".