A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
This IRCBot connects to an IRC server at dark.bestunix.org, where it waits for commands from a remote user. The bot is controlled via messages sent to it.
Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:
This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.
On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:
The file downloaded is detected as Backdoor.Win32.IRCBot.WT.
This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.
To be able to gain access to the backdoor, the remote user must login to the channel and type the password:
When successfully logged in to the BOT, the remote user can do the following IRC commands:
The remote user can also perform the following system commands:
This program creates the following registry key as its auto-start technique:
Note: %systemdir% is typically "C:\Windows\system32".