A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
This IRCBot connects to an IRC server at dark.bestunix.org, where it waits for commands from a remote user. The bot is controlled via messages sent to it.
Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as:
This program takes advantage of the MS06-040 vulnerability. A specially crafted packet is embedded in the body of the program and is XOR'ed by 99h. The program will then wait for a "Scan" command from a remote user.
On receiving the command, the program sends the packet to all IP addresses that the remote user specifies. The payload of the packet is that it downloads a file from a URL and executes it. The URL the file is downloaded from is:
The file downloaded is detected as Backdoor.Win32.IRCBot.WT.
This malware connects to an IRC server and joins the password-protected channel #!e!, using a random nickname. It then waits for commands from a remote user.
To be able to gain access to the backdoor, the remote user must login to the channel and type the password:
When successfully logged in to the BOT, the remote user can do the following IRC commands:
The remote user can also perform the following system commands:
This program creates the following registry key as its auto-start technique:
Note: %systemdir% is typically "C:\Windows\system32".
Date Created: -
Date Last Modified: -