Backdoor:W32/IRCBot.BNS

These tools allow for the control of a victim's computer remotely by sending specific commands via IRC channels. Also, these backdoors can steal data and spread to computers vulnerable to exploits.

The backdoor's file is a PE executable about 1.3 megabytes long, packed with Themida file compressor.

When the backdoor's file is started, it copies itself as a file named winupdate.exe to the Windows System folder and then creates the following startup key value in the Registry:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winupdate" = "winupdate.exe"

When the backdoor is active, it connects to an IRC server, joins a certain channel, and acts as a bot there.

The following IRC server and ports is used by the backdoor:

• 72.20.15.41:6667

The backdoor joins the following password-protected IRC channel:

• #~>|EBoT|<~

A hacker can send commands to the bots to control infected computers. Several tasks can be performed, including the following:

• Start FTP server
• Perform ping, SYN, ICMP and UDP flooding
• Get system information including OS, network and drives
• Update the backdoor's software
• Operate the backdoor's bot (nick change, join channels et cetera)
• Redirect traffic (proxy)
• Steal CD keys for popular games
• Download and execute files
• Log keystrokes
• Scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

• Weak Windows share passwords
• Weak VNC passwords port 5900
• ASN.1 (MS04-007) ports 80, 139, 445
• WKSSVC (MS03-049) port 135
• Symantec Antivirus and Client Security vulnerability ports 2967, 2968