Summary

IRC Backdoor (generic description)

An IRC backdoor is usually a standalone file that copies its file to Windows or Windows System folder and creates a Registry key to start that file during every Windows session. Also some IRC backdoors modify WIN.INI and SYSTEM.INI files or copy themselves to startup folders for different users. Some IRC backdoors replace INI scripts of an IRC client (mostly mIRC).

Disinfection

Additional Details

When an IRC backdoor is run, it established connection to an IRC server or waits until a user connects to IRC (mIRC script-based backdoor). A backdoor then creates a bot in a specific channel on a specific IRC server. An IRC bot acts as a backdoor server interface. An IRC client in this case acts as a backdoor client. A hacker can give commands to an IRC bot using IRC interface.

Most of advanced IRC backdoors allow to get a limited access to an infected system and to modify, upload, download and run files. Some IRC backdoors have additional functionalities that allow a hacker to perform malicious actions in IRC channels and in some cases can allow an attacker to completely take over an IRC channel.

Most famous IRC backdoors: SDBot, Roron, Nymph. Writeup: Alexey Podrezov, July 14th, 2003;

Description Updated: Alexey Podrezov, May 24th, 2004;