Home / malware Backdoor.IRC.Spup.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.IRC.Spup.A is also known as Backdoor.IRC.Mox, (Kaspersky.
Explanation :
Infection succeeds by using the Web Server Folder Traversal vulnerability in Microsoft IIS 4.0 and 5.0 described in Microsoft Security Bulletin MS00-078. A patch for this issue was released by Microsoft since August 2000.
To the infected computer, a file is uploaded and executed: c:WinntprojectBy.eXe. When ran, it unpacks a mIRC executable, an executable used to hide the mIRC window, a moo.dll file that provides functions that inspect the computer, and the script files.
The viral code lies only in the script files that mIRC uses. Also a registry key is created to ensure mIRC will run everytime the victim machine will boot:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
Subkey: byeXe
Value: c:\Winnt\project\By.eXe
This is an excellent example of a distributed attack: the infected machines will connect to the IRC server qwe.pups.net.ru on a non-standard port. They will join the channel #c0de54135 on that server and take the topic channel that tells them what to do: flood or portscan specific servers. The channel operator, or a user who identifies himself to the victims IRC clients, can also post commands to the victim computers.
This is a dangerous backdoor because it uses *all* the infected machines to attack the same target computer at the same time. The author also put an ICQ routine, so as to be contacted by infected machines. The virus attempts to auto-update from a FTP server.Last update 21 November 2011
