Home / malwarePDF  

Backdoor:Win32/IRCbot.FL


First posted on 09 August 2011.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:Win32/IRCbot.FL.

Explanation :

Backdoor:Win32/IRCbot.FL allows unauthorized access and control of an infected computer by connecting to an IRC server and awaiting commands that are issued by a remote attacker. For example, it may be commanded to download and execute arbitrary files or participate in Distributed Denial of Service attacks. The malware also spreads to shared drives as a file named "debug.exe" and terminates a security process.


Top

Backdoor:Win32/IRCbot.FL allows unauthorized access and control of an infected computer by connecting to an IRC server and awaiting commands that are issued by a remote attacker. For example, it may be commanded to download and execute arbitrary files or participate in Distributed Denial of Service attacks. The malware also spreads to shared drives as a file named "debug.exe" and terminates a security process.



Installation

When run, Backdoor:Win32/IRCbot.FL copies itself as a 'read only', 'hidden', 'system' file to %appdata%\winlogon.exe, and launches the new copy.

It creates the following registry entries to ensure that it runs at each system start:

In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Sets value: €œwinlogon€
With data: €œ%appdata%\winlogon.exe€

Spreads via€¦

Shared drives

Backdoor:Win32/IRCBot.FL copies itself as "debug.exe" to all shared drives discovered on the infected computer, for example:

admin$\debug.exe
c$\debug.exe
d$\debug.exe

and so on.



Payload

Backdoor functionality

The malware connects on port 5992 to an IRC server with IP address 108.59.254.180 and joins the channel "#indi" using the key "3p1cW4r5" (epicwars). Once connected, Backdoor:Win32/IRCbot.FL awaits commands from a remote attacker.

Terminates processes

Backdoor:Win32/IRCbot.FL terminates the process "MsMpEng.exe", a core component of Microsoft antimalware software including Microsoft Security Essentials and Forefront Endpoint Protection.

Vincent Tiu

Last update 09 August 2011

 

TOP

Malware :

Family: