McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Rsbot (NAV)

• Remote Script bot

Characteristics

This detection is for an IRC based remote access trojan, written in Visual Basic.

The exact filename of the trojan may vary - at least one field sample seen by AVERT has used the name MSAPP.EXE. Once running on the victim machine, the IRC bot hooks system startup by adding the following Registry key:

It also creates a hook in the SYSTEM.INI file, for example:

The IRC trojan attempts to connect to a remote IRC server, if successful sending notification data concerning the victim machine (username, machine name). It then tries to join a remote IRC channel in order to await commands. Exact functionality between versions may vary, but typically include remote command such as:

• delete files
• download file
• return system information (memory, computer details etc)
• initiate UDP flood
• remote share scan (scan for remote accessible shares, eg. IPC$)
• self update

Symptoms

• unexpected traffic to port 6667 of remote servers (IRC)
• Registry and SYSTEM.INI hook described above

Method of Infection

AVERT has received the main component of this trojan as a standalone file. However, it is likely that it will be received bundled with other files, maybe as part of an installer package.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Rsbot (NAV)

• Remote Script bot

Characteristics

Characteristics -

This detection is for an IRC based remote access trojan, written in Visual Basic.

The exact filename of the trojan may vary - at least one field sample seen by AVERT has used the name MSAPP.EXE. Once running on the victim machine, the IRC bot hooks system startup by adding the following Registry key:

It also creates a hook in the SYSTEM.INI file, for example:

The IRC trojan attempts to connect to a remote IRC server, if successful sending notification data concerning the victim machine (username, machine name). It then tries to join a remote IRC channel in order to await commands. Exact functionality between versions may vary, but typically include remote command such as:

• delete files
• download file
• return system information (memory, computer details etc)
• initiate UDP flood
• remote share scan (scan for remote accessible shares, eg. IPC$)
• self update

Symptoms

Symptoms -

• unexpected traffic to port 6667 of remote servers (IRC)
• Registry and SYSTEM.INI hook described above

Method of Infection

Method of Infection -

AVERT has received the main component of this trojan as a standalone file. However, it is likely that it will be received bundled with other files, maybe as part of an installer package.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A