Home / malware Backdoor.IRC.Sticy.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Backdoor.IRC.Sticy.A.
Explanation :
This IRC backdoor has been sent to many addresses in email messages like the following:
Reply-to:
From: "The Company Of BitDefender"
Subject: BitDefender Company
Date: Tue, 18 Jan 2005 05:30:14 -0800
Hello,
We send you the best antivirus BitDefender ... please copy the software and have more security
on your computer;
Please copy this product from http://www.[...].ro/ and send us an email at
support@bitdefender.com and we can give you your cdkey product to register it!
Download Link1 : http://www.[...].ro/Film.exe
Download Link2 : http://www.[...].ro/Poze.exe
Greetings Tnx to : John Myle , Goordon Freeman & Bitman Forgivn
Film.exe is a WinRAR self-extract archive; when run, it extracts mIRC (a popular IRC client), the evil mIRC scripts and two DLL's (one for encryption/decryption and one for process/window hiding) in C:WINDOWSinfdigital, runs the extracted file taskmgr.exe (mIRC) and hides its window and its process (from Windows 9x Task Manager).
The scripts cause mIRC to connect to Undernet (with a nick chosen randomly from a list in nick.db and a hardcoded name that advertises a website) and join two channels; it accepts commands from an authenticated user; these commands include:
- setting voice/op/ban rights for other users on specified channels;
- sending messages to other uses;
- even a "help" command that reports the accepted commands.
The script also modifies win.ini to run the perverted mIRC at startup.
Most of the nicks in the list are Romanian. Texts in the script are in Romanian. The people on the channels joined by the infected users are Romanian. The origin is obvious.Last update 21 November 2011