Home / malware

PDF

Backdoor:Win32/IRCbot.gen!Y

First posted on 25 October 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/IRCbot.gen!Y is also known as BDS/IRCBot.Y.6 (Avira), BDS/IRCBot.Y.7 (Avira), TROJ_PINCAV.SM (Trend Micro), Trojan.Win32.Pincav (Ikarus), Trojan/Win32.Pincav (AhnLab), W32.Ircbrute (Symantec), W32/Ircbot.AIU (Command), W32/Pincav.VT (Norman), Trojan-Dropper.Win32.Daws.avlk (Kaspersky).

Explanation :

Backdoor:Win32/IRCbot.gen!Y is a bot that connects to an Internet Relay Chat (IRC) server and provides attackers with unauthorized access and control of your computer. It attempts to spread via removable drives and network shares, P2P (peer-to-peer) services and IM (instant messaging).

It is a member of the Backdoor:Win32/IRCbot family of bots.



Installation

Depending on the variant, Backdoor:Win32/IRCbot.gen!Y copies itself with file names that resemble legitimate programs and services, possibly in an effort to hinder detection and removal, such as the following:

• %APPDATA%\ctfmon.exe
• %TEMP% \ winlogin.exe
• <system folder>\windefend.exe

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

Some variants of Backdoor:Win32/IRCbot.gen!Y modify the registry to ensure their copy runs at each Windows start. In the wild, we have observed the following modifications to the registry:

In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Defender"
With data: "%system%\windefend.exe"

Sets value: "Windows Defense Service"
With data: "%system%\windefend.exe"

Sets value: "Winlogon"
With data: "%TEMP%\winlogin.exe"

Some variants of the bot attempt to delete themselves from their original run location.

Variants of the bot may also attempt to add themselves to the firewall exceptions list by running the following command:

netsh firewall add allowedprogram <malware file name> ENABLE

where <malware file name> is the file the bot copied itself as.

Spreads via...

Removable drives

Backdoor:Win32/IRCbot.gen!Y may create the following copies of itself on targeted removable drives when spreading:

• <removable drive>:\\recycler\{36436-46377-557332\autorun.exe
• <removable drive>:\\recycler\{36436-46377-557332\msconfig.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

Note: This bot was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally used in order to spread malware from computer to computer.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Network shares

Some variants of the bot may attempt to spread by using the following predefined list of user names and passwords to access computers on your local network:

• User names:
• admin
• admin"
• administrator
• amministratore
• computer
• default
• guest
• owner
• root
• wwwadmin
• Passwords:
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 123abc
• abcde
• access
• apollo13
• apple
• awerty
• billy
• bitch
• command
• database
• hacker
• internet
• intranet
• linux
• login
• loginpass
• mysql
• nokia
• oracle
• pass1234
• qwerty
• server
• siemens
• system
• testing
• win2000
• win2k
• win95
• win98
• winnt
• winpass
• winxp

Peer-to-peer file sharing

Some variants of Backdoor:Win32/IRCbot.gen!Y may attempt to spread via P2P file sharing by copying themselves to the shared folders of particular P2P file sharing applications.

The bot makes several copies of itself in the shared folders of these applications using file names designed to entice other users of the file sharing network into downloading and running copies of the bot.

The bot may copy itself to the following folders:

• bearshare\shared
• edonkey2000\incoming
• emule\incoming
• frostwire\saved
• frostwire\shared
• grokster\my grokster
• icq\shared folder
• kazaa lite k++\my shared folder
• kazaa lite\my shared folder
• kazaa\my shared folder
• limewire\saved
• limewire\shared
• morpheus\my shared folder
• my music\bearshare
• my music\imesh
• shareaza downloads
• tesla\files
• winmx\shared

Using one or more of the following file names:

• Adobe Keygen.exe
• Adobe Photoshop Crack.exe
• Adobe Photoshop CS3 Keygen.exe
• Adobe Photoshop CS4 KeyGen.exe
• Adobe Photoshop Keygen.exe
• AOL Hacker 2009.exe
• Avast Antivirus Keygen.exe
• Avira Antivirus 2010 Keygen.exe
• Avira Internet Security 2010 Keygen.exe
• Call Of Duty Modern Warfare 2 working multiplayer patch by team reloaded.exe
• Cisco VPN Keygen.exe
• Counter-Strike KeyGen.exe
• Counter-Strike Source KeyGen.exe
• DeadSpace KeyGen.exe
• DivX Pro KeyGen.exe
• Half-Life 2 WORKS-ON-STEAM.exe
• Kaspersky 2010 Full Suite Keygen.exe
• Kaspersky Antivirus Keygen.exe
• Kaspersky Internet Security Keygen.exe
• Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
• Limewire Pro Downloader.exe
• Limewire Speed Patch
• Magic Video Converter Keygen.exe
• Microsoft Visual Basic 2008 KeyGen.exe
• Microsoft Visual Basic 6 KeyGen.exe
• Microsoft Visual C++ 2008 KeyGen.exe
• Microsoft Visual C++ 6 KeyGen.exe
• Microsoft Visual Studio 2008 KeyGen.exe
• Microsoft Visual Studio 6 KeyGen.exe
• Movie Maker Keygen.exe
• Myspace Attack.exe
• Myspace Bruteforce.exe
• Myspace Cracker.exe
• Nod32 Antivirus Keygen.exe
• Nod32 Internet Security Keygen.exe
• Norton Anti-Virus 2010 Enterprise Keygen.exe
• Norton Internet Security 2010 Keygen.exe
• Partition Magic 8 Full package.exe
• Photoshop Crack.exe
• PhotoShop Keygen.exe
• Project 7 Private 4.8.exe
• Registry Cleaner Keygen.exe
• RuneScape 2009 - Newest Exploits.exe
• RuneScape Cracker.exe
• RuneScape Gold Exploit.exe
• Steam Account Stealer.exe
• Tcpip Patch.exe
• TuneUp 2010 Keygen.exe
• Virus Generator.exe
• Virus Maker.exe
• Widnows 7 Keygen.exe
• Windows 2008 Server KeyGen.exe
• Windows 2009 Server working KeyGen by TeaM Reloaded.exe
• Windows Vista Keygen
• Windows XP Keygen
• Windows XP Media Center Keygen.exe
• WOW Account Cracker.exe
• YIM HAcker 2008.exe
• YIM HAcker 2009.exe

Instant messaging

Variants of the bot may attempt to spread by using a number of IM services, including ICQ. The bot sends a localized message to all of your contacts, depending on the location of your computer.

It uses the following messages if your locale is set to Austria, Germany, Liechtenstein, Luxembourg, or Switzerland:

• bist du das auf dem foto
• das foto solltest du wirklich sehen
• hab ich dir das foto schon gezeigt?
• kennst du das foto schon?
• schau mal das foto an
• schau mal welches foto ich gefunden hab
• so will ich nicht aussehen wenn ich alt bin
• unglaublich welche fotos leute von sich machen schau mal
• wie findest du das foto?

It uses the following messages if your locale is set to Belgium or the Netherlands:

• ben jij dat op dit foto?
• dit foto zal je echt eens bekijken!
• ik hoop dat jij het net bent op dit foto
• ken je dat foto nog?
• ken je dit foto al?
• kijk wat voor een foto ik heb gevonden
• zo iets leilijk heb ik nog nooit in mijn leven gezien

It uses the following message if your locale is set to Denmark:

• ser pÕ dette billede

It uses the following message if your locale is set to Finland:

• katso tõtõ kuvaa

It uses the following messages if your locale is set to France:

• c'est la photo la plus marrante!
• devrais-je mettre cette photo de profile?
• dis moi ce que tu pense de cette photo de moi?
• je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier.
• je ne pense pas que je vais pouvoir dormir après avoir vu ces photos.
• mes parents vont me tuer si ils trouvent cette photo.

It uses the following messages if your locale is set to Italy:

• chi e in questa foto?
• conosci la persona in questa foto?
• dopo che hai visto la foto, tu non dormirai piu
• hai visto questa foto?
• la foto e grandiosa!
• ti piace la foto?
• ti ricordi la Foto?

It uses the following message if your locale is set to Norway:

• se pÕ dette bildet

It uses the following message if your locale is set to Sweden:

• titta pÕ denna bild

It uses the following messages for all other locales:

• i cant believe i still have this picture
• i don't think i will ever sleep again after seeing this photo
• should i make this my default picture?
• tell me what you think of this photo
• tell me what you think of this picture i edited
• this is the funniest photo ever!

Payload

Allows backdoor access and control

Backdoor:Win32/IRCbot.gen!Y attempts to connect an IRC server, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:

• Download, upload and run files (including plugins for the bot)
• Inject the bot into a specific process
• Join a different IRC channel
• Launch Internet Explorer
• Perform a DDoS (distributed denial of service) attack
• Reconnect to the bot and perform a test of your network's speed
• Recreate the Windows start registry keys it created during its installation, if they were deleted
• Remove the bot from your computer
• Retrieve information about your computer
• Update the bot

In the wild, we have observed the bot connecting to the following IRC servers on the channel "#gbot" with the user name "n{USA|XP}%random_chars%" (for example, "n{USA|XP}ekrmycj"):

• ircs.no-ip.org:7200
• tils.dyndns.tv:9283
• gbot.ddns.me:7200
• irc.deepirc.net:6669

Deletes files

Backdoor:Win32/IRCbot.gen!Y may also delete the list of drivers that the operating system uses when booting into safe mode. It does this by deleting the following registry keys:

• HKLM\System\CurrentControlSet\Control\SafeBoot
• HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal
• HKLM\System\CurrentControlSet\Control\SafeBoot\Network

Injects code

In order to hinder detection and removal, Backdoor:Win32/IRCbot.gen!Y injects its code into the "winlogon.exe" process.

Additional information

Backdoor:Win32/IRCbot.gen!Y creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:

• erygb3ihf38ufn3
• fYtXvYAs
• waH&spem

The bot determines the location of your computer by using the API "GetLocaleInfoA".

Most variants of the bot identify themselves as "gBot V2" via the inclusion of a text string in their code.

Related encyclopedia entries

Backdoor:Win32/IRCbot



Analysis by Patrik Vicol

Last update 25 October 2012

 

TOP