Flood is a family of script-based backdoors that operate with a modified IRC client application and a set of utilities. Quite often these backdoors are spread in self-extracting archives and customized installation packages. F-Secure Anti-Virus detects over 40 different Flood backdoor variants.
Disinfection of Flood backdoor is simple - just delete or rename (if deleting fails) all infected files and restart your computer.
The backdoor is basically an IRC script that operates with a modified IRC client, usually mIRC. The backdoor can use external utilities for its needs. A hacker can control the backdoor by sending specific commands to it. The latest backdoor variants can perform the following actions:
- open a file server on an infected computer - give OP to a specific user or everyone - change channel mode - give VOICE to a specific user or everyone - deOP a specific user or everyone - deVOICE a specific user or everyone - add a user to autoOP list - add a user to autoVOICE list - delete user from a channel list - add aliases - change IRC server - add server to a server list - reconnect to a server - join or part a specific channel - join or part a specific channel in a cycle - kick a specific user from a channel - show backdoor info - ban a specific user from a channel - set specific variable - change nickname - show backdoor version - show backdoor credits - send messages - get channel statistics - clear server list - remove specific variable
Some commands will only work if an infected IRC user has an OP or high rank in a specified channel.
Technical Details:Alexey Podrezov, January 13th, 2003