Home / malware Backdoor:Win32/IRCbot.gen!S
First posted on 15 December 2009.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:Win32/IRCbot.gen!S.
Explanation :
Backdoor:Win32/IRCbot.gen!S is a generic detection for a number of variants of the Backdoor:Win32/IRCbot family. Backdoor:Win32/IRCbot is a family of backdoor trojans that allows unauthorized access and control of affected computers.
Top
Backdoor:Win32/IRCbot.gen!S is a generic detection for a number of variants of the Backdoor:Win32/IRCbot family. Backdoor:Win32/IRCbot is a family of backdoor trojans that allows unauthorized access and control of affected computers. After a computer is infected, the trojan connects to an IRC server and joins a specified channel in order to receive commands. Commands may vary, but can include instructing the trojan to spread to other computers via network shares with weak passwords, or by exploiting Windows vulnerabilities on targeted machines. Some variants of Backdoor:Win32/IRCbot.gen!S also have the ability to spread via logical and removable drives.
Installation
Backdoor:Win32/Rbot.gen!S variants install by copying themselves to the <system folder> with a filename that differs according to minor variant. They then run the dropped executable. In the wild, we have observed variants copying themselves to the following locations, for example:<system folder>\wmispacs.exe <system folder>\ vmwareservice.exe <system folder>\ wmibus.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. Backdoor:Win32/Rbot.gen!S variants modify a number of registry entries in order to run their copy at each system start, and to facilitate their operations on the affected machine. The following modifications were observed being made by one variant, for example: Sets value: "GON"
With data: "<path to malware executable>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions Sets value: "ctfmon.exe"
With data: "ctfmon.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "ctfmon.exe"
With data: "ctfmon.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
Sets value: "ctfmon.exe"
With data: "ctfmon.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network Sets value: "Debugger"
With data: "<dropped malware file name>.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe Sets value: "C:\WINDOWS\system32\<dropped malware file name>.exe"
With data: "disablenxshowui"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Some variants of Backdoor:Win32/IRCbot.gen!S create remote threads in the process memory of explorer.exe in order to perform further functions.Spreads via€¦ Removable drives Some variants of Backdoor:Win32/IRCbot.gen!S copy themselves using variable file names to logical or removable drives. They also drop an autorun.inf file to the root directory of the drive, so the dropped copy can be automatically executed when the drive is accessed or media is inserted. For example, one variant d rops the following files when spreading in this manner:<Drive>:\recycler\s-1-6-21-2434476501-1644491937-600003330-1213 \desktop.ini <Drive>:\recycler\s-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe - this file is detected as Backdoor:Win32/IRCbot.gen!S <Drive>:\autorun.inf - this file is detected as Worm:Win32/Autorun.gen!inf Exploit Some variants have the ability to spread by exploiting various Windows vulnerabilities. They scan random IPs on TCP port 445 for vulnerable machines to exploit. Instant messagingVariants of Backdoor:Win32/IRCbot.gen!S can be ordered by a remote attacker (using the backdoor functionality mentioned under Payload, below) to spread via instant messaging applications. In these cases, the malware looks for window classes related to IM and if found, hijacks the windows in order to insert a link to itself and send it to the user's contacts.
Payload
Disables or lowers security settings Backdoor:Win32/IRCbot.gen!S may attempt to disable security program services and processes. One variant was observed stopping services and processes associated with Nod32, AVG, Sunbelt and AVAST. Allows backdoor access and control Backdoor:Win32/IRCbot.gen!S allows unauthorized access and control of an affected machine. We have observed this trojan listening on a random port (e.g. TCP port 20563), and contacting an IRC server in order to receive instruction from a remote attacker. Backdoor commands can include (but are not limited to) actions such as:Scanning for unpatched computers on the network S preading through Instant Messaging Scanning ports on the network Downloading and executing remote files Monitoring network traffic L aunching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, network connection information, and IE start page configuration Retrieving CD keys of games Uploading/downloading files through FTP Manipulating processes and services Conducting denial of service (DoS) attacks Disabling a list of security processes. For example:
A2HIJACKFREESETUP.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASVIEWER.EXE
ATF-CLEANER.EXE
AUTORUNS.EXE
AVENGER.EXE
AVGARKT.EXE
AVINSTALL.EXE
AVZ.EXE
BC5CA6A.EXE
BOOTSAFE.EXE
BUSCAREG.EXE
CATCHME.EXE
CF9409.EXE
COMBO-FIX.EXE
COMBOFIX.BAT
COMBOFIX.COM
COMBOFIX.EXE
COMBOFIX.SCR
COMMAND.COM
COMPAQ_PROPIETARIO.EXE
CPORTS.EXE
CPROCESS.EXE
CUREIT.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DUBATOOL_AV_KILLER.EXE
ELISTA.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXBAGLE.EXE
FIXPATH.EXE
FOLDERCURE.EXE
FPORT.EXE
FSB.EXE
FSBL.EXE
GMER.EXE
GUARD.EXE
GUARDXKICKOFF.EXE
GUARDXSERVICE.EXE
HACKMON.EXE
HELIOS.EXE
HIJACK-THIS.EXE
HIJACKTHIS.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS_V2.EXE
HJ.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
ISSDM_EN_32.EXE
JAJA.EXE
K7TS_SETUP.EXE
KAKASETUPV6.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LISTO.EXE
LORDPE.EXE
MBAM-SETUP.EXE
MBAM.EXE
MRT.EXE
MRTSTUB.EXE
MSASCUI.EXE
MSMPENG.EXE
MSNCLEANER.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NETALYZ.EXE
NETSTAT.EXE
NTVDM.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
OTMOVEIT.EXEMBAM-SETUP.EXE
P08PROMO.EXE
PAVARK.EXE
PENCLEAN.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.COM
REGEDIT.SCR
REGISTRAR_LITE.EXE
REGMON.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGUNLOCKER.EXE
REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTKIT_DETECTIVE.EXE
SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
SDFIX.EXE
SEEM.EXE
SPF.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGPS.EXE
SRESTORE.EXE
STARTDRECK.EXE
SUPERANTISPYWARE.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER.EXE
UNLOCKER1.8.7.EXE
UNLOCKERASSISTANT.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
VIPRE.EXE
VIRUS.EXE
VIRUSUTILITIES.EXE
WINDOWS-KB890930-V2.2.EXE
WIRESHARK.EXE
WITSETUP.EXE
Analysis by Lena LinLast update 15 December 2009
