Summary

Flood is a family of script-based backdoors that operate with a modified IRC client application and a set of utilities. Quite often these backdoors are spread in self-extracting archives and customized installation packages. F-Secure Anti-Virus detects over 40 different Flood backdoor variants.

Disinfection

Disinfection of Flood backdoor is simple - just delete or rename (if deleting fails) all infected files and restart your computer.

Additional Details

The backdoor is basically an IRC script that operates with a modified IRC client, usually mIRC. The backdoor can use external utilities for its needs. A hacker can control the backdoor by sending specific commands to it. The latest backdoor variants can perform the following actions:

 - open a file server on an infected computer
 - give OP to a specific user or everyone
 - change channel mode
 - give VOICE to a specific user or everyone
 - deOP a specific user or everyone
 - deVOICE a specific user or everyone
 - add a user to autoOP list
 - add a user to autoVOICE list
 - delete user from a channel list
 - add aliases
 - change IRC server
 - add server to a server list
 - reconnect to a server
 - join or part a specific channel
 - join or part a specific channel in a cycle
 - kick a specific user from a channel
 - show backdoor info
 - ban a specific user from a channel
 - set specific variable
 - change nickname
 - show backdoor version
 - show backdoor credits
 - send messages
 - get channel statistics
 - clear server list
 - remove specific variable

Some commands will only work if an infected IRC user has an OP or high rank in a specified channel.

Technical Details: Alexey Podrezov, January 13th, 2003;