Threat Description



Aliases:Novabot, Backdoor.IRC.Cloner



We have been monitoring the IRC network created by Novabot. During last 10 hours of 22nd of January, we saw close to 3000 bots from different IP addresses joining the attack network (although no more than 1000 of them can be accessible at a time as the IRC server has a thousand user limit). Around 21:00 GMT the IP address of the IRC server changed to - making the server inaccessible. Before this we witnessed a person actively sending commands to the bots over the IRC channel. We will continue to monitor the situation.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

The IRC backdoor allows remote control of the system via a IRC channel. Upon request, the IRC part can be asked to scan a block of IP addresses from an infected machine. The scanning attempts to connect each IP addess using a predefined list of username and password combinations as follows:

	Username	Password
	Administrator	empty
	Administrator	admin
	Administrator	administrator
	root		root
	admin		admin
	administrator	test
	test		test
	administrator	test123
	administrator	temp
	administrator	pass
	administrator	password
	administrator	changeme

If authentication passes, the "files.exe" is executed on the remote machine thus infecting it.

The "files.exe" is a setup package, that installs the backdoor to "C:\winnt\INF\other" and runs "taskmngr.exe" which is a repacked mIRC client. The mIRC client will then run "nt32.ini" instead of standard "script.ini" used by mIRC client.

After that the backdoor connects to the IRC server and joins the predefined channel. It generates a random nickname for each infected machine (consisting of four characters and five digits). It sets itself to start on the reboot via registry by adding the following key:


Then the backdoor waits for commands. These commands include ability to download and execute programs.

To operate the backdoor uses set of scripts and binary files, as follows:

	hide.exe	Tool used to hide application
	mdm.exe		Tool used to hide application
	psexec.exe	Remote execution tool
	taskmgr.exe	Repacked mIRC client
	backup.bat	Batch script that attempts to infect remote host
	nt32.ini	Main mIRC script
	remote.ini	mIRC script that connects the server
	seced.bat	Batch file
	start.bat	Copies the "files.exe" from the Windows system32
			directory to "C:\winnt\INF\other"
	win32.mrc	mIRC script

F-Secure Anti-Virus detects this backdoor with the current updates.

Technical Details: Katrin Tocheva, Sami Rautiainen and Gergely Erdelyi; F-Secure Corp.; January 22th, 2003


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More