An IRC backdoor is usually a standalone file that copies its file
to Windows or Windows System folder and creates a Registry key to
start that file during every Windows session. Also some IRC
backdoors modify WIN.INI and SYSTEM.INI files or copy themselves
to startup folders for different users. Some IRC backdoors
replace INI scripts of an IRC client (mostly mIRC).
When an IRC backdoor is run, it established connection to an IRC
server or waits until a user connects to IRC (mIRC script-based
backdoor). A backdoor then creates a bot in a specific channel on
a specific IRC server. An IRC bot acts as a backdoor server
interface. An IRC client in this case acts as a backdoor client.
A hacker can give commands to an IRC bot using IRC interface.
Most of advanced IRC backdoors allow to get a limited access to
an infected system and to modify, upload, download and run files.
Some IRC backdoors have additional functionalities that allow a
hacker to perform malicious actions in IRC channels and in some
cases can allow an attacker to completely take over an IRC
channel.
Most famous IRC backdoors: SDBot, Roron, Nymph.
Disinfection
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is
automatically removed by F-Secure Anti-Virus (FSAV) starting from
version 5.40. Malware files get automatically renamed by FSAV, so
they can not be started any more. In some rare cases, when
automatic disinfection is not possible, a user can select
disinfection action by him/herself to make FSAV rename or delete
an infected file. In some special cases it is recommended to use
specific disinfection tools provided by F-Secure. They can be
downloaded from our ftp site:
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
To manually disinfect standalone malware (backdoors, worms,
trojans, etc.) it's usually enough to delete all infected files
from a computer and to restart it. Active malware files are
usually locked by operating system so different disinfection
approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is
recommended only for advanced users.
Windows 95, 98, ME
If Windows 9x operating system is used, it is recommended to
restart a computer from a bootable system diskette and to delete
an infected file from command prompt. For example if a malicious
file named ABC.EXE is located in Windows folder, it is usually
enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone.
Windows NT, 2000, XP
If Windows NT, 2000 or XP is used, a malicious file has to be
renamed with a different extension (for example .VIR) and then a
system has to be restarted. After restart a renamed malicious
file will no longer be active and it can be easily deleted
manually.
System Restore issue
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
![](/images/pixel.gif"){kind=tracking}
