McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.IRC.Lampsy (Symantec)

• Backdoor.IRC.Mox (AVP)

• Troj/Flood-Y (Sophos)

Characteristics

There are several versions of this trojan dropper. This description is only meant as a guide and describes a recent version (discovered May 7, 2003). Newer variants may require the latest DAT files.

At the time of this writing, this trojan is being downloaded by the Downloader-BO trojan. The file, named l.exe (616,653 bytes) is a UPX packed self-extracting RAR package The 4.2.40 engine detects the compressed files within the executable when scanning archives and compressed executables. The 4263 DAT files detect this l.exe file as IRC/Flood.y.dr with default scanner settings.

The trojan consists of the mIRC Internet Relay Chat client program and trojan mIRC script files. It allows a remote attacker to use the infected system to attack other systems, upload/download files, and use the infected system to proxy through. When run, it creates the following files in a folder named USER within the WINDOWS directory.

• b.eXe
• bnc.conf
• bnc.help
• By.eXe
• cl.eXe
• drx2.inf
• hw.eXe
• ib.eXe
• pr.eXe
• s1.eXe
• s2.eXe
• s3.eXe
• si.eXe
• sn.eXe
• u.eXe
• us.eXe
• v.eXe

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "eXe" = c:\Winnt\User\By.eXe

Symptoms

Presence of the aforementioned files and registry key.

Method of Infection

This trojan may be downloaded by a downloader trojan. Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.IRC.Lampsy (Symantec)

• Backdoor.IRC.Mox (AVP)

• Troj/Flood-Y (Sophos)

Characteristics

Characteristics -

There are several versions of this trojan dropper. This description is only meant as a guide and describes a recent version (discovered May 7, 2003). Newer variants may require the latest DAT files.

At the time of this writing, this trojan is being downloaded by the Downloader-BO trojan. The file, named l.exe (616,653 bytes) is a UPX packed self-extracting RAR package The 4.2.40 engine detects the compressed files within the executable when scanning archives and compressed executables. The 4263 DAT files detect this l.exe file as IRC/Flood.y.dr with default scanner settings.

The trojan consists of the mIRC Internet Relay Chat client program and trojan mIRC script files. It allows a remote attacker to use the infected system to attack other systems, upload/download files, and use the infected system to proxy through. When run, it creates the following files in a folder named USER within the WINDOWS directory.

• b.eXe
• bnc.conf
• bnc.help
• By.eXe
• cl.eXe
• drx2.inf
• hw.eXe
• ib.eXe
• pr.eXe
• s1.eXe
• s2.eXe
• s3.eXe
• si.eXe
• sn.eXe
• u.eXe
• us.eXe
• v.eXe

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "eXe" = c:\Winnt\User\By.eXe

Symptoms

Symptoms -

Presence of the aforementioned files and registry key.

Method of Infection

Method of Infection -

This trojan may be downloaded by a downloader trojan. Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A