Upon execution, Backdoor.Win32.IRCBot.AAS drops a copy of itself in the Windows System directory as algose32.exe (e.g. C:Windowssystem32algose32.exe). This malware connects to dark.bestunix.org IRC server and joins the channel #!e! with a channel password, using a random nickname. It waits for commands from a remote user. To be able to gain access with the BOT, the remote user should login and type the password of the BOT.



When successfully logged in to the BOT, the remote user can do the following IRC commands:

• Joins/Part an IRC channel
• Send private/channel messages
• Change the BOT's nick
• Quits the IRC server.
• Checks the BOT's ID and version.
• Check the up-time of the BOT
• Logout from the BOT.
• Update the BOT.

And also, the remote user can do the following system commands:

• Opens/Executes/Downloads files.
• Port scanning.
• Access files through a Shell.
• List/Terminate processes.

Autostart Mechanism

This IRCBot creates the following registry key as its auto-start technique:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Offices Monitorse = "%systemdir%algose32.exe"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Offices Monitorse = "%systemdir%algose32.exe"

NOTE: %systemdir% is normally 'C:Windowssystem32'


Others

This BOT takes advantage of MS06-040. The specially crafted packet is embedded in the body of this IRCBot and is XOR'ed by 99h. The BOT will then wait for a 'Scan' command from a remote user. In this case, the BOT will send this specially crafted packet to all IP addresses that the remote user specified to the BOT.

The payload of the packet is that, it downloads a file from a URL and executes it. The URL that this BOT downloads the file from is http://www.emr3.net/p[removed].exe. The file uploaded on the said link is currently detected as Backdoor.Win32.IRCBot.wt

Last update 27 April 2007

 

TOP