Home / malware Backdoor:Win32/IRCbot.GX
First posted on 17 October 2012.
Source: MicrosoftAliases :
Backdoor:Win32/IRCbot.GX is also known as Suspicious.Emit (Symantec).
Explanation :
Backdoor:Win32/IRCbot.GX is a member of Win32/IRCbot - a broad family of backdoor trojans that allows unauthorized access and control of an affected computer by a remote attacker via IRC. Installation When executed, Backdoor:Win32/IRCbot.GX copies itself to the following locations:
The malware utilizes code injection in order to hinder detection and removal. When Backdoor:Win32/IRCbot.GX executes, it may inject code into running processes, including the following, for example:
- c:\documents and settings\administrator\application data\iygdzez\iygdzez.exe
- c:\documents and settings\administrator\local settings\temp\iygdzez.exe
Spreads via€¦ Removable drives Backdoor:Win32/IRCbot.GX may create the following files on targeted drives when spreading:
- charmap.exe
- explorer.exe
- notepad.exe
- <targeted drive>:\...lnk
- <targeted drive>:\..lnk
- <targeted drive>:\showfiles.exe
- <targeted drive>:\subst.lnk
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Modifies system security settings Backdoor:Win32/IRCbot.GX modifies the affected computer system's security settings by making the following changes to the registry:
- The malware adds itself to the list of trusted processes that are authorized to access the network by making the following registry modification:
Adds value: "C:\Documents and Settings\Administrator\Application Data\IyGdZEZ\IyGdZEZ.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ListAllows backdoor access and control The malware allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/IRCbot.GX. This could include, but is not limited to, the following actions:
- The malware adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
Adds value: "C:\Documents and Settings\Administrator\Application Data\IyGdZEZ\IyGdZEZ.exe"
With data: "c:\documents and settings\administrator\application data\iygdzez\iygdzez.exe:*:enabled:internet explore"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 483be8bc71f3db60b236074304bb06fa10ae49f3.Last update 17 October 2012
