Home / malware Backdoor:Win32/IRCbot.gen!O
First posted on 18 May 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/IRCbot.gen!O is also known as Also Known As:Exploit:Win32/MS08067.gen!A (other), Backdoor.Sdbot.DGAV (BitDefender), Win32/Sdbot.ME (CA), IRC/SdBot (ESET), Backdoor.Win32.SdBot.ldj (Kaspersky), W32/Sdbot.worm (McAfee), W32/SDbot.MBU (Panda), W32/Sdbot-DOM (Sophos), W32.Spybot.Worm (Symantec), Worm.SdBot.AEYK (VirusBuster).
Explanation :
Backdoor:Win32/IRCbot.gen!O is a generic detection for a trojan that allows unauthorized access and control of an affected machine by a remote attacker using IRC. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from an attacker. This particular detection may trigger on variants of several different IRC bot families, including Win32/Pushbot and Win32/Synigh.
Symptoms
Symptoms may vary from one instance of this detection to the next, hence specific symptoms cannot be listed.
Backdoor:Win32/IRCbot.gen!O is a generic detection for a trojan that allows unauthorized access and control of an affected machine by a remote attacker using IRC. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from an attacker. This particular detection may trigger on variants of several different IRC bot families, including Win32/Pushbot and Win32/Synigh. While the specific behaviors of malware reported by this detection may vary from one instance to the next, we provide the following details as an example of malware that may be detected with this name.
Installation
When executed, Backdoor:Win32/IRCbot.gen!O may create a copy of itself in the <system folder> or the <system folder>drivers directory, with a variable file name, for example;<system folder>driversdelsrv.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It may then make a number of registry modifications for its own use (continuing our previous example): Sets value: ".ZAC."
With data: "<system folder>driversdelsrv.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell Extensions Sets value: ".ZAN."
With data: "<time and date of installation>"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsSpreads Via…Logical and Removable DrivesSome variants of Backdoor:Win32/IRCbot.gen!O may attempt to spread to logical or removable drives. They place themselves in the RECYCLER folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached. Our example variant created the following files when attempting to spread in this manner:<Targeted Drive>:
ecyclers-53-6-22-3434476501-1644491937-600003330-1213delserv.exe (a copy of itself)<Targeted Drive>:
ecyclers-53-6-22-3434476501-1644491937-600003330-1213desktop.ini<Targeted Drive>:autorun.inf Exploit/Network SharesUpon receiving IRC commands via the backdoor (see Payload section below for additional detail) Backdoor:Win32/IRCbot.gen!O can spread to remote computers by exploiting one or more Windows vulnerabilities, for example MS04-011 or MS08-067.
Backdoor:Win32/IRCbot.gen!O may also spread via network shares by attempting to access the following shares:
d$windowssystem32c$
d$winntsystem32
c$windowssystem32
c$winntsystem32
Admin$system32
Admin$
Ipc$
using a list of predefined weak passwords (for example): server
asdfgh
password
access
pass1234
administrador
654321
123456
12345
admin
administrator
Payload
Modifies System Security SettingsBackdoor:Win32/IRCbot.gen!O may attempt to lower security settings on an affected machine by making a number of modifications to the registry, for example:Sets value: "SFCDisable"
With data: "4294967197"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Sets value: "WaitToKillServiceTimeout"
With data: "7000"
To subkey HKLMSYSTEMCurrentControlSetControl Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem Sets value: "UpdatesDisableNotify"
With data: "1"
To subkey: HKLMSOFTWAREMicrosoftSecurity Center Sets value: "EnableFirewall"
With data: "0"
To subkey: HKLMSOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile Sets value: "EnableFirewall"
With data: "0"
To subkey: HKLMSOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile Sets value: "AUOptions"
With data: "1"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update Sets value: "Start"
With data: "4"
To subkey: HKLMSYSTEMCurrentControlSetServiceswscsvc Sets value: "Start"
With data: "4"
To subkey: HKLMSYSTEMCurrentControlSetServicesTlntSvr Sets value: "Start"
With data: "4"
To subkey: HKLMSYSTEMCurrentControlSetServicesRemoteRegistry Sets value: "Start"
With data: "4"
To subkey: HKLMSYSTEMCurrentControlSetServicesMessenger Sets value: "restrictanonymous"
With data: "1"
To subkey: HKLMSYSTEMCurrentControlSetControlLsa Sets value: "AutoShareWks"
With data: "1"
To subkey: HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters Sets value: "AutoShareWks"
With data: "1"
To subkey: HKLMSYSTEMCurrentControlSetServiceslanmanworkstationparameters Sets value: "DoNotAllowXPSP2"
With data: "1"
To subkey: HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate Sets value: "EnableDCOM"
With data: "n"
To subkey: HKLMSoftwareMicrosoftOLE Sets value: "DontReportInfectionInformation"
With data: "1"
To subkey: HKLMSOFTWAREPoliciesMicrosoftMRT Backdoor FunctionalityBackdoor:Win32/IRCbot.gen!O allows unauthorized access and control of an affected machine. In the wild, our example variant contacted the following IRC servers in order to receive instruction from a remote attacker:www.KUTLUFAMILY.COMwww.BALDMANPOWER.ORG Backdoor commands can include actions such as:Scanning for unpatched computers on the network Scanning files on the systems and check certain DLLs are loaded Scanning ports on the network. Downloading and executing remote files. Monitoring network traffic. Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers. Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, network connection information, and IE start page configuration. Retrieving CD keys of games. Uploading/downloading files through FTP. Manipulating processes and services. Conducting denial of service (DoS) attacks. Additional InformationBackdoor:Win32/IRCbot.gen!O may contact additional remote hosts. For example, one variant was observed in the wild contacting the following domains:proxy.us.pl nassc.com For more information, please see the Win32/Pushbot and Win32/Synigh descriptions elsewhere in our encyclopedia.
Analysis by Lena LinLast update 18 May 2009