Home / malwarePDF  

Backdoor.IRCBot.ST


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Backdoor.IRCBot.ST.

Explanation :

The file is packed and encrypted to hide it's malicious code. When is first run, the virus starts a thread that will check if the program is being debugged, and will immediately exit if it discovers an user-level debugger. On next step, will copy itself in windows system directory, then will install itself as a windows service with name "wgareg". The service is configured so, it will be automatically restarted by windows if it is killed. Next, the virus will start explorer.exe in suspend mode, then will inject code in this process. The injected code, has to wait for the virus to exit, and then will erase the file. After erasing the file, the process will exit.

Same, after installing the service, the virus will exit. Next, the virus is started by windows because now it is registered as a service. The virus is started from %SYSTEMDIR%\wgareg.exe. This time, the virus will skip the installation part, and will begin the main activity. First, will create a mutex named "wgareg", for exclusivity. Next, it will disable the windows security center firewall, and anti-virus monitors by modifying registry keys, and will create dcpromo.log in %WINDIR%\Debug\ , size 0 bytes. This way, it will protect the computer against MS04-011 vulnerability. Next, it will try to connect to irc-server net32.vr0k.com.ar on port 18067, and will attempt to join a password-protected channel named #N1.The nickname is random created and it's form is N1-xxxxxxxx, where xxxxxxxx is a random number. After connecting, it stays and listens in background for commands.
Commands are powerfull enough to upgrade the virus, uninstall, download a file from internet and execute it, open a shell, run any process from infected computer, execute any irc command, search for a file, syn-flood, take control of instant messanger.
worm-like, exploits the MS04-011 vulnerability on demand and transmits itself.

Last update 21 November 2011

 

TOP

Malware :

Family: