F-Secure
Tools
Backdoor:W32/IRCBot.DDR
| Name : | Backdoor:W32/IRCBot.DDR |
| Category: | Malware |
| Type: | Backdoor |
| Platform: | W32 |
Summary
A Bot, sometimes referred to as Zombie, is a computer that has been infected with malware that allows a remote malicious user access to the computer.
This Bot attempts to spread via MSN Messenger.
This Bot attempts to spread via MSN Messenger.
Additional Details
Upon execution this malware drops a copy of itself in the following directory:
Note: %windir% is typically C:\Windows
It also displays the following:
There is no picture, the message is false and is used as a decoy.
It creates an autostart function by adding the following registry keys:
It disable the Task Manager and the Registry Editor by setting the following:
This backdoor has keylogging capabilities and saves all the data to the following location:
Like many other typical Bots, it connects to a server on port 1863 and waits for a command from a remote hacker.
IRCBot attempts to connect to the following site:
This Bot has the following commands:
• %windir%\livemessenger.com
Note: %windir% is typically C:\Windows
It also displays the following:
There is no picture, the message is false and is used as a decoy.
It creates an autostart function by adding the following registry keys:
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update = livemessenger.com
Microsoft Update = livemessenger.com
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Update = livemessenger.com
Microsoft Update = livemessenger.com
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Microsoft Update = livemessenger.com
Microsoft Update = livemessenger.com
It disable the Task Manager and the Registry Editor by setting the following:
• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 00000001
DisableRegistrytools = 00000001
DisableTaskMgr = 00000001
DisableRegistrytools = 00000001
This backdoor has keylogging capabilities and saves all the data to the following location:
• %windir%\admintxt.txt.
Like many other typical Bots, it connects to a server on port 1863 and waits for a command from a remote hacker.
IRCBot attempts to connect to the following site:
• http://msg.sig-clan.com
This Bot has the following commands:
• Download and execute files
• Get the Bot's up-time
• Join/Quit IRC channel
• Key-logging
• Kill processes
• Send private message on IRC
• Spread the Bot via MSN messenger
• Update the Bot