Home / malware Backdoor:Win32/IRCbot.gen!U
First posted on 24 February 2019.
Source: MicrosoftAliases :
Backdoor:Win32/IRCbot.gen!U is also known as VirTool:Win32/Injector.gen!E, Win-Trojan/Agent.20480.UC, Win32/Shliser.A, Bck/IrcBot.CDY, Mal/EncPk-FL, W32.Spybot.Worm, WORM_AUTORUN.MCS.
Explanation :
Backdoor:Win32/IRCbot.gen!U is a generic detection for a trojan that allows unauthorized access and control of an affected machine by a remote attacker using IRC. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from an attacker. This particular detection may trigger on variants of several different IRC bot families, including Win32/Pushbot and Win32/Synigh. The trojan is created using a utility that can configure certain properties of the malware such as the following: file name of the installed copy ports for use by a remote attacker remote server names to attempt connections with and so on payload actions which may include any of the following actions: Download and execute a file Perform a DDoS attack Spread using "autorun.inf" Autorun configuration files Some have the ability to spread over MSN and AIM messengers Transfer files Steal passwords Visit a specified website (possibly for click fraud) InstallationWhen run, the trojan creates of copy of itself locally and modifies the registry to run the copy at each Windows start. The following is one example of a registry modification: In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSets value: "MSN"To data: "%windir%kysvr.exe" Spreads Via… Logical and Removable DrivesSome variants of Backdoor:Win32/IRCbot.gen!U may attempt to spread to logical or removable drives. They place themselves in the RECYCLER folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached. One example variant created the following files when attempting to spread in this manner:
:
ecyclers-1-6-21-2434476501-1644491937-6000033autorunme.exe:
ecyclers-53-6-22-3434476501-1644491937-600003330-1213desktop.ini:autorun.inf Payload Backdoor functionalityBackdoor:Win32/IRCbot.gen!U allows unauthorized access and control of an affected machine. In the wild, one example variant contacted the IRC server "irc.wotnet.com" in order to receive instruction from a remote attacker. Backdoor commands can include actions such as: Scanning for un-patched computers on the network Scanning files on the systems and check certain DLLs are loaded Scanning ports on the network. Downloading and executing remote files. Monitoring network traffic. Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers. Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, network connection information, and IE start page configuration. Retrieving CD keys of games. Uploading/downloading files through FTP. Manipulating processes and services. Conducting denial of service (DoS) attacks. Additional InformationThe malware will refuse to run in various sandboxes or if analysis tools like Wireshark or Process Monitor are used. Analysis by Chris Stubbs Last update 24 February 2019