This IRCBot connects to an IRC server at dark.bestunix.org. After this, the bot waits for commands from a remote user. The bot is controlled via messages sent to it.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as algose32.exe (e.g. C:\Windows\system32\algose32.exe).
This malware connects to dark.bestunix.org IRC server and joins the channel #!e! with a channel password, using a random nickname. It waits for commands from a remote user. To be able to gain access with the BOT, the remote user should login and type the password of the BOT.
When successfully logged in to the BOT, the remote user can do the following IRC commands:
And also, the remote user can do the following system commands:
This IRCBot creates the following registry key as its auto-start technique:
NOTE: %systemdir% is normally 'C:\Windows\system32'
This BOT takes advantage of MS06-040. The specially crafted packet is embedded in the body of this IRCBot and is XOR'ed by 99h. The BOT will then wait for a 'Scan' command from a remote user. In this case, the BOT will send this specially crafted packet to all IP addresses that the remote user specified to the BOT.
The payload of the packet is that, it downloads a file from a URL and executes it. The URL that this BOT downloads the file from is http://www.emr3.net/p[removed].exe. The file uploaded on the said link is currently detected as Backdoor.Win32.IRCBot.wt
Date Created: -
Date Last Modified: -