Home / malwarePDF  

Backdoor:Win32/IRCbot.EM


First posted on 26 May 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/IRCbot.EM is also known as Trojan horse Dropper.Generic2.BPB (AVG), W32/Autorun.worm.g (McAfee), Trojan.Win32.Generic!BT (Sunbelt Software).

Explanation :

Backdoor:Win32/IRCbot.EM is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.
Top

Backdoor:Win32/IRCbot.EM is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files. Installation When executed, Backdoor:Win32/IRCbot.EM copies itself to the %appdata%\Microsoft folder, using the following file name: windows.exe Note - %appdata% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %appdata% folder for Windows XP is C:\Documents and Settings\<user>\Application Data; and for Vista, and Windows 7 is C:\Users\<user>\AppData\Roaming. It then launches the new copy. It creates the following registry entry to ensure that it is launched upon system startup: Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "windows.exe" With data: €œ%appdata%\Microsoft\windows.exe" Spreads via€¦ Removable drives The malware periodically checks whether removable drives are attached, and if so, copies itself as a hidden file to the root folder of the drive, using the filename windows.exe. It also places a hidden autorun.inf file in the root folder of the drive, in order to attempt to run the malware when the drive is attached to another system. Once it has done so, the malware reports which drives were infected to the backdoor server (see below). Payload Allows backdoor access and control The malware connects to a remote server at ry4n.no-ip.info, using port 3085, and sends various system information including:

  • User name
  • Computer name
  • Processor type and speed
  • Operating System Version
  • System locale
  • The backdoor€™s controller may issue the following commands:
  • Download and execute arbitrary files
  • Update itself
  • Start or stop SYN or UDP based DDoS attacks
  • Send application privileges (Administrator or restricted) and system uptime
  • List running processes
  • Terminate processes
  • List titles and details of open windows
  • Display a message box
  • Stop running
  • Uninstall itself
  • Steal Mozilla Firefox password details


  • Analysis by David Wood

    Last update 26 May 2010

     

    TOP