Threat description




A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

This IRCBot connects to an IRC server at, where it waits for commands from a remote user. The bot is controlled via messages sent to it.


Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:

  • algose32.exe

This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.

On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:


The file downloaded is detected as Backdoor.Win32.IRCBot.WT.


This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.

To be able to gain access to the backdoor, the remote user must login to the channel and type the password:

When successfully logged in to the BOT, the remote user can do the following IRC commands:

  • Joins/Part an IRC channel
  • Send private/channel messages
  • Change the BOT's nick
  • Quits the IRC server.
  • Checks the BOT's ID and version.
  • Check the up-time of the BOT
  • Logout from the BOT.
  • Update the BOT.

The remote user can also perform the following system commands:

  • Opens/Executes/Downloads files.
  • Port scanning.
  • Access files through a Shell.
  • List/Terminate processes.

This program creates the following registry key as its auto-start technique:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"

Note: %systemdir% is typically "C:\Windows\system32".

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info