Home / malwarePDF  

Backdoor.Win32.IRCBot.AAS


First posted on 27 April 2007.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor.Win32.IRCBot.AAS.

Explanation :

This IRCBot connects to an IRC server at dark.bestunix.org. After this, the bot waits for commands from a remote user. The bot is controlled via messages sent to it.

Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as algose32.exe (e.g. C:Windowssystem32algose32.exe). This malware connects to dark.bestunix.org IRC server and joins the channel #!e! with a channel password, using a random nickname. It waits for commands from a remote user. To be able to gain access with the BOT, the remote user should login and type the password of the BOT.



When successfully logged in to the BOT, the remote user can do the following IRC commands:
And also, the remote user can do the following system commands:


Autostart Mechanism

This IRCBot creates the following registry key as its auto-start technique:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Offices Monitorse = "%systemdir%algose32.exe"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Offices Monitorse = "%systemdir%algose32.exe"

NOTE: %systemdir% is normally 'C:Windowssystem32'


Others

This BOT takes advantage of MS06-040. The specially crafted packet is embedded in the body of this IRCBot and is XOR'ed by 99h. The BOT will then wait for a 'Scan' command from a remote user. In this case, the BOT will send this specially crafted packet to all IP addresses that the remote user specified to the BOT.

The payload of the packet is that, it downloads a file from a URL and executes it. The URL that this BOT downloads the file from is http://www.emr3.net/p[removed].exe. The file uploaded on the said link is currently detected as Backdoor.Win32.IRCBot.wt

Last update 27 April 2007

 

TOP

Malware :

Family: