A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Backdoor:W32/IRCBot.ET is a variant of a bot that spreads by exploiting the known Plug and Play service (MS05-039) vulnerability. It is a packed PE executable file 51326 bytes long.
The bot was first found on August, 16th 2005.
When run, the worm copies under %SYSTEM% directory using the name 'windrg32.exe'. Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:
The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. Please see the following page for detailed information on the vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
The following ports are used in attack:
The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:
IRCBot.ET also tries to uninstall some other malware and adware by deleting files and folders and removing registry keys. The worm tries to terminates the following processes:
Removes these files:
Deletes these values: