Novabot

The IRC backdoor allows remote control of the system via a IRC channel. Upon request, the IRC part can be asked to scan a block of IP addresses from an infected machine. The scanning attempts to connect each IP addess using a predefined list of username and password combinations as follows:

Username Password Administrator empty Administrator admin Administrator administrator root root admin admin administrator test test test administrator test123 administrator temp administrator pass administrator password administrator changeme

If authentication passes, the "files.exe" is executed on the remote machine thus infecting it.

The "files.exe" is a setup package, that installs the backdoor to "C:\winnt\INF\other" and runs "taskmngr.exe" which is a repacked mIRC client. The mIRC client will then run "nt32.ini" instead of standard "script.ini" used by mIRC client.

After that the backdoor connects to the IRC server and joins the predefined channel. It generates a random nickname for each infected machine (consisting of four characters and five digits). It sets itself to start on the reboot via registry by adding the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Run32dll

Then the backdoor waits for commands. These commands include ability to download and execute programs.

To operate the backdoor uses set of scripts and binary files, as follows:

hide.exe Tool used to hide application mdm.exe Tool used to hide application psexec.exe Remote execution tool taskmgr.exe Repacked mIRC client backup.bat Batch script that attempts to infect remote host nt32.ini Main mIRC script remote.ini mIRC script that connects the server seced.bat Batch file start.bat Copies the "files.exe" from the Windows system32 directory to "C:\winnt\INF\other" win32.mrc mIRC script

F-Secure Anti-Virus detects this backdoor with the current updates.