Content
IRC-Yoink
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 02/17/2003
- Length
- 330.615 bytes (decimal)
- Minimum DAT
- 4250 (02/26/2003)
- Updated DAT
- 4328 (02/25/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 02/17/2003
- Description Modified
- 02/26/2003 5:16 PM (PT)
Tab Navigation
Characteristics
The entry for IRC-Yoink was added to provide cover for a malicious 32 bit PE binary file called "SYSCLEAN.EXE". Note that the name might vary. The file was created using the Borland Delphi development environment. The filesize was 330.615 bytes (decimal) and the file was compressed internally with NeoLite.
Upon running the file in a test-environment, not much activity was observed to be happening but this may be due to specific circumstances. IRC-Yoink can connect to IRC servers, using port 6667. Comments in the packed file include "powered by VorteX IRC" and "Vortex v2.5" as well as links to specific websites, omitted on purpose here. The trojan has backdoor functionality in that it can listen to ports. It can scan ports in the range of 1-65535. Remote attackers can capture data such as Login names and Passwords. It may send out udp packets, IGMP, e-mail bombing/mailing, making use of SMTP server and Software\Microsoft\Internet Account Manager\Accounts. Possible messages on the screen are numerous, as an example: "You're infected with the xxxxhead virus" , where xxxx is a replacement for the actual message.Symptoms
-Presence of a 330.615 (decimal) file called "SYSCLEAN.EXE", name might vary.
-Unexpected/high volume of traffic on Port 6667.Method of Infection
-The malicious file can be transmitted by IRC or sent on purpose to an user as a disguised message/attachment.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- SSBoT
- Vortex
Characteristics
Characteristics -
The entry for IRC-Yoink was added to provide cover for a malicious 32 bit PE binary file called "SYSCLEAN.EXE". Note that the name might vary. The file was created using the Borland Delphi development environment. The filesize was 330.615 bytes (decimal) and the file was compressed internally with NeoLite.
Upon running the file in a test-environment, not much activity was observed to be happening but this may be due to specific circumstances. IRC-Yoink can connect to IRC servers, using port 6667. Comments in the packed file include "powered by VorteX IRC" and "Vortex v2.5" as well as links to specific websites, omitted on purpose here. The trojan has backdoor functionality in that it can listen to ports. It can scan ports in the range of 1-65535. Remote attackers can capture data such as Login names and Passwords. It may send out udp packets, IGMP, e-mail bombing/mailing, making use of SMTP server and Software\Microsoft\Internet Account Manager\Accounts. Possible messages on the screen are numerous, as an example: "You're infected with the xxxxhead virus" , where xxxx is a replacement for the actual message.Symptoms
Symptoms -
-Presence of a 330.615 (decimal) file called "SYSCLEAN.EXE", name might vary.
-Unexpected/high volume of traffic on Port 6667.Method of Infection
Method of Infection -
-The malicious file can be transmitted by IRC or sent on purpose to an user as a disguised message/attachment.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
