Home / malwarePDF  

Backdoor:Win32/IRCbot.gen!AA


First posted on 15 March 2013.
Source: Microsoft

Aliases :

Backdoor:Win32/IRCbot.gen!AA is also known as Trojan/Win32.Antisb (AhnLab), W32/IRCBot-based!Maximus (Command), Trojan-Dropper.Win32.Dapato.bvfc (Kaspersky), WORM/Rbot.Gen (Avira), Gen:Variant.Graftor.53894 (BitDefender), DLOADER.IRC.Trojan (Dr.Web), Win32/Boberog.BF worm (ESET), Trojan-Dropper.Win32.Dapato.bvfc (Kaspersky), W32/Sdbot.worm!pg (McAfee), Worm.IRCbot!4CE4 (Rising AV), Mal/IRCBot-A (Sophos), W32.IRCBot (Symantec), TROJ_SPNR.15L712 (Trend Micro).

Explanation :



Installation

Backdoor:Win32/IRCbot.gen!AA uses the file name "%AppData%\winsvrn32.exe". It adds the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Corp Update"
With data: "%AppData%\winsvrn32.exe"

It creates the mutex "dr9nsr4gx".

Spreads via...

Removable drives

Backdoor:Win32/IRCbot.gen!AA creates a folder named "8585485" in the root of all removable drives. It then creates copies of itself in this folder using existing folder names in the drive. For example, if the removable drive contains folders named "foo1" and "foo2", then the backdoor copies are named "foo1.exe" and "foo2.exe".

It then hides all folders in the removable drives, in an attempt to trick you into clicking on its copy rather than on the folder in your drive. It then creates shortcuts to each of the copies, with the same name as all the folders in the drive, but with the LNK extension.



Payload

Allows backdoor access and control

Backdoor:Win32/IRCbot.gen!AA allows unauthorized access and control of your computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/IRCbot.gen!AA. This could include, but is not limited to, the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Spread to other computers using various methods of propagation
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files


Bypasses Windows Firewall

Backdoor:Win32/IRCbot.gen!AA bypasses the Windows Firewall by adding the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
Sets value: "List"
With data: "%AppData%\winsvrn32.exe"

Allows backdoor access and control

Backdoor:Win32/IRCbot.gen!AA connects to the servers "ktodumal.net" and "windowsupdatecenter.net" via port 5500. Once connected, it can send and receive commands from a remote server.



Analysis by Vincent Tiu

Last update 15 March 2013

 

TOP

Malware :

Family: