Backdoor.Win32.IRCBot.AAS

Classification

Malware

Backdoor

W32

Backdoor.Win32.IRCBot.AAS

Summary

This IRCBot connects to an IRC server at dark.bestunix.org. After this, the bot waits for commands from a remote user. The bot is controlled via messages sent to it.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as algose32.exe (e.g. C:\Windows\system32\algose32.exe).

This malware connects to dark.bestunix.org IRC server and joins the channel #!e! with a channel password, using a random nickname. It waits for commands from a remote user. To be able to gain access with the BOT, the remote user should login and type the password of the BOT.

When successfully logged in to the BOT, the remote user can do the following IRC commands:

  • Joins/Part an IRC channel
  • Send private/channel messages
  • Change the BOT's nick
  • Quits the IRC server.
  • Checks the BOT's ID and version.
  • Check the up-time of the BOT
  • Logout from the BOT.
  • Update the BOT.

And also, the remote user can do the following system commands:

  • Opens/Executes/Downloads files.
  • Port scanning.
  • Access files through a Shell.
  • List/Terminate processes.

Autostart Mechanism

This IRCBot creates the following registry key as its auto-start technique:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"

NOTE: %systemdir% is normally 'C:\Windows\system32'

Others

This BOT takes advantage of MS06-040. The specially crafted packet is embedded in the body of this IRCBot and is XOR'ed by 99h. The BOT will then wait for a 'Scan' command from a remote user. In this case, the BOT will send this specially crafted packet to all IP addresses that the remote user specified to the BOT.

The payload of the packet is that, it downloads a file from a URL and executes it. The URL that this BOT downloads the file from is http://www.emr3.net/p[removed].exe. The file uploaded on the said link is currently detected as Backdoor.Win32.IRCBot.wt

Date Created: -

Date Last Modified: -