Backdoor.Win32.IRCBot.AAS

Classification

Malware

Backdoor

W32

Backdoor.Win32.IRCBot.AAS

Summary

This IRCBot connects to an IRC server at dark.bestunix.org. After this, the bot waits for commands from a remote user. The bot is controlled via messages sent to it.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as algose32.exe (e.g. C:\Windows\system32\algose32.exe).

This malware connects to dark.bestunix.org IRC server and joins the channel #!e! with a channel password, using a random nickname. It waits for commands from a remote user. To be able to gain access with the BOT, the remote user should login and type the password of the BOT.

When successfully logged in to the BOT, the remote user can do the following IRC commands:

  • Joins/Part an IRC channel
  • Send private/channel messages
  • Change the BOT's nick
  • Quits the IRC server.
  • Checks the BOT's ID and version.
  • Check the up-time of the BOT
  • Logout from the BOT.
  • Update the BOT.

And also, the remote user can do the following system commands:

  • Opens/Executes/Downloads files.
  • Port scanning.
  • Access files through a Shell.
  • List/Terminate processes.

Autostart Mechanism

This IRCBot creates the following registry key as its auto-start technique:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Offices Monitorse = "%systemdir%\algose32.exe"

NOTE: %systemdir% is normally 'C:\Windows\system32'

Others

This BOT takes advantage of MS06-040. The specially crafted packet is embedded in the body of this IRCBot and is XOR'ed by 99h. The BOT will then wait for a 'Scan' command from a remote user. In this case, the BOT will send this specially crafted packet to all IP addresses that the remote user specified to the BOT.

The payload of the packet is that, it downloads a file from a URL and executes it. The URL that this BOT downloads the file from is http://www.emr3.net/p[removed].exe. The file uploaded on the said link is currently detected as Backdoor.Win32.IRCBot.wt