Home / malware Backdoor:Win32/IRCbot.gen!Z
First posted on 05 September 2012.
Source: MicrosoftAliases :
Backdoor:Win32/IRCbot.gen!Z is also known as Win32/Rbot (ESET), Backdoor.Rbot (Ikarus), Backdoor.Win32.Rbot.aea (Kaspersky), Generic.Sdbot.A2581542 (BitDefender), IRC/BackDoor.SdBot (AVG), W32.Spybot.Worm (Symantec), W32/Rbot-Gen (Sophos), W32/Sdbot.worm.gen.i (McAfee), Worm.RBot.Gen.10 (VirusBuster), Win32/IRCBot.worm.Gen (AhnLab), Worm/Rbot.316497 (Avira), WORM_SPYBOT.GEN (Trend Micro).
Explanation :
Backdoor:Win32/IRCbot.gen!Z is a backdoor trojan that connects to an Internet Relay Chat (IRC) server and provides attackers with unauthorized access and control of your computer. It is a member of the Backdoor:Win32/IRCbot family of backdoor trojans.
Installation
Backdoor:Win32/IRCbot.gen!Z copies itself to the %windir% or <system folder> directory with a random file name, and then runs that copy of itself. Some of the file names we have observed include:
- CRACK + KEYGEN Medal of Honor Airborne- WORKING !!.zip
- ddqps.exe
- gsdazr.exe
- hghaah.exe
- iwjarv.exe
- mvuvxx.exe
- ogeslh.exe
- Runescape_Pass_Crack_v4.1.exe
- sbtegs.exe
- sxrdqx.exe
- touisf.exe
- zngvbb.exe
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".
Backdoor:Win32/IRCbot.gen!Z modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "<malware name and location>", for example "C:\Windows\ddqps.exe"
The trojan uses a batch script with a random file name to delete itself.
Payload
Allows backdoor access and control
Backdoor:Win32/IRCbot.gen!Z attempts to connect to an IRC server, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on your computer, including the following:
- Download and run arbitrary files
- Terminate security process
- Perform denial of service attacks on other computer or networks
- Connect to other IRC servers
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
The IRC servers that we have observed Backdoor:Win32/IRCbot.gen!Z connecting to are listed in the Additional information section in this entry.
Modifies Hosts file
Backdoor:Win32/IRCbot.gen!Z adds the following lines to the Windows Hosts file to block access to the following security websites:
- avp.com
- ca.com
- customer.symantec.com
- dispatch.mcafee.com
- download.mcafee.com
- f-secure.com
- kaspersky.com
- kaspersky-labs.com
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- mast.mcafee.com
- mcafee.com
- microsoft.com
- my-etrust.com
- nai.com
- networkassociates.com
- pandasoftware.com
- rads.mcafee.com
- secure.nai.com
- securityresponse.symantec.com
- sophos.com
- symantec.com
- trendmicro.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- viruslist.com
- viruslist.com
- virustotal.com
- www.avp.com
- www.ca.com
- www.f-secure.com
- www.grisoft.com
- www.kaspersky.com
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.pandasoftware.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.com
- www.virustotal.com
Drops and installs other malware
In the wild, we have observed Backdoor:Win32/IRCbot.gen!Z dropping and running the following malware:
- Backdoor:Win32/Rbot.gen
- BrowserModifier:Win32/Istbar.F
- HackTool:Win32/Wpakill.B
- Trojan:Win32/Gaobot.gen
- Trojan:Win32/Qhost.I
- VirTool:Win32/Cleanmbx.A
- VirTool:WinNT/FURootkit.A
Backdoor:Win32/IRCbot.gen!Z may also drop malware that could disable Windows security services, including:
- Trojan:BAT/Secoff.A
- Trojan:WinREG/Secoff.B
Terminates security processes
The trojan terminates the following antivirus-related processes, if found on your computer:
Additional information
- _avpm.exe
- antivirus.exe
- aupdate.exe
- avgw.exe
- avp.exe
- avp32.exe
- avpcc.exe
- blackice.exe
- drweb32.exe
- fsav.exe
- navw32.exe
- nod32.exe
- persfw.exe
- scan32.exe
- zonealarm.exe
To enable its backdoor access and control payload, Backdoor:Win32/IRCbot.gen!Z attempts to connect to any of the following IRC servers, using various ports:
- albmsn.drshells.com
- bb.qc.to
- btanubis.sytes.net
- chat.haraldmark.com
- cmjc.no-ip.biz
- dns.gatuzo.net
- irc.legi0n.org
- irc.niscaffe.rs
- irc.nopics-mum.info
- irc.rizon.net
- irc.worldbraillearchive.net
- l0lbutts3x.bookleech.com
- m.DRD3H.COM
- m4tr1x.m1cr0s0ft.net
- stats.tuchat.net
- tunit.p2p.com.hk
- unkrandom.lanochets.com.ar
- updates32.biz
- windows.ns01.info
Backdoor:Win32/IRCbot.gen!Z creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:
Related encyclopedia entries
- BMW[NT] Bot
- depth45-owns-you
- Dev-Bot
- exploit bots
- GhostBOT
- h43yh4cker
- H-Bot Modded by SculenZ & TH Version 3.0
- hooligan
- Iroffer modified by Fr0zen
- kiddbot
- LIQUID
- nzm bot modded by vlad
- rootz
- rx10B
- RxBot
- s bot 1.1
- Silly Bot
- sizzlss
- SRX_BOT
- SupaBot
- Tr0gBot
Backdoor:Win32/IRCbot
Backdoor:Win32/Rbot.gen
BrowserModifier:Win32/Istbar.F
HackTool:Win32/Wpakill.B
Trojan:BAT/Secoff.A
Trojan:Win32/Gaobot.gen
Trojan:Win32/Qhost.I
Trojan:WinREG/Secoff.B
VirTool:Win32/Cleanmbx.A
VirTool:WinNT/FURootkit.A
Analysis by Mihai Calota
Last update 05 September 2012
