Home / malware Backdoor.IRCBot.ACTN
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.IRCBot.ACTN is also known as Net-Worm.Win32.Kolab.dgc;, BackDoor.IRC.Sdbot.5096;, W32/Kolab.DGC!worm.im.
Explanation :
This worm is packed and encrypted in order to avoid av detection and hide its malicious purpose. When first run, it creates a hidden copy of itself in %WINDOWS% folder, under usb_magr.exe and adds the following value to registry to ensure that this copy will be executed at every system start up:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Name: Universal Serial Bus device
Value: usb_magr.exe
Next, it drops a file named x.bat which will stop the Security Center service and then deletes itself. As a consequence of disabling this service, the user won't be notified if virus protection, firewall and automatic updates are enabled or not.
In order to spread itself through removable drives it creates an autorun.inf file pointing to a copy of itself found in:
C:RECYCLER S-1-6-21-2434476501-1644491937-600003330-1213 folder
Then it will try to connect to an irc channel using the following data:
User: MEAT* 0
Nick: {iNF-00-USA-<operating_system>-<computer_name>-<random_number>}
Pass: prison
By opening this backdoor the attacker will be able to control the system, download other files or upgraded versions of itself, execute irc commands, sending messages to all the contacts in user's messenger list.Last update 21 November 2011
