Content

IRC/Backdoor.g

Type
Trojan
SubType
Remote Access
Discovery Date
01/31/2003
Length
Varies
Minimum DAT
4247 (02/12/2003)
Updated DAT
4252 (03/12/2003)
Minimum Engine
5.1.00
Description Added
02/03/2003
Description Modified
03/10/2003 10:42 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan consists of 2 mIRC script files and a batch file. It is being distributed in a self-extracting archive, along with several other trojans and attack tools. The mIRC scripts are designed to allow a remote IRC user to send commands the these various trojans. One package received contained the following components.

The 2 script files use the various trojans and applications to attack a remote system and conceal its presence on the host system. They also have the following functions:
  1. Downloading and execution of remote files
  2. Creation of a remote shell
  3. Act as a proxy server
  4. Calls the included batch file:
    • This batch file attempts to connect to the IPC$ share on remote systems as specified by the remote attacker. Using the RemoteProcessLaunch application, the trojan gets installed on all remote systems, which the host system has write/execute access to. This access can result from a user having sufficient permissions on the target systems (such as a domain administrator), or from the trivial username/passwords specified in the batch file.

Symptoms

Unexpected traffic on TCP port 6667.

Method of Infection

A self-extracting executable file drops this trojan, along with other threats. Trojans do not self-replicate. However, this trojan can accept a remote command to "spread" to other systems.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan consists of 2 mIRC script files and a batch file. It is being distributed in a self-extracting archive, along with several other trojans and attack tools. The mIRC scripts are designed to allow a remote IRC user to send commands the these various trojans. One package received contained the following components.

The 2 script files use the various trojans and applications to attack a remote system and conceal its presence on the host system. They also have the following functions:
  1. Downloading and execution of remote files
  2. Creation of a remote shell
  3. Act as a proxy server
  4. Calls the included batch file:
    • This batch file attempts to connect to the IPC$ share on remote systems as specified by the remote attacker. Using the RemoteProcessLaunch application, the trojan gets installed on all remote systems, which the host system has write/execute access to. This access can result from a user having sufficient permissions on the target systems (such as a domain administrator), or from the trivial username/passwords specified in the batch file.

Symptoms

Symptoms -

Unexpected traffic on TCP port 6667.

Method of Infection

Method of Infection -

A self-extracting executable file drops this trojan, along with other threats. Trojans do not self-replicate. However, this trojan can accept a remote command to "spread" to other systems.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A