McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Klys (Panda)

Characteristics

There are multiple versions of this trojan. This description is meant as a guide. Newer variants may require the latest DAT files for detection.

This detection is for an Internet Relat Chat (IRC) bot/DDoS tool. Exact details will vary according to the specific actions desired by the hacker who creates the package, which is delivered via a dropper file.

The main dropper file is approximately 850kB in length. When run, a series of files are dropped into a specific directory on the local disk. In at least one variant received by AVERT, the directory was:

The following list summarises the files that will typically be unpacked into this folder. Note: exact filenames and filesizes may vary.

• BOOTNT.DLL (33,792 bytes) - this is an application for extracting information from the victim machine, detected as application MotherboardMonitor (with application-type detections enabled).
• MSVS32.BAT (2,367 bytes) - this is a trojan batch script which attempts to connect to remote machines (their IPC$ share) using the following username/password combinations:
  
  

  Password	User
  (blank)	Administrator
  (blank)	administrator
  Admin	Administrator
  admin	Administrator
  Administrator	Administrator
  administrator	Administrator
  changeme	Administrator
  abc	Administrator
  abc123	Administrator
  123	Administrator
  1234	Administrator
  12345	Administrator
  123456	Administrator
  321	Administrator
  4321	Administrator
  54321	Administrator
  654321	Administrator
  pass	Administrator
  Pass	Administrator
  password	Administrator
  Password	Administrator
  admin	Admin
  admin	admin
  123	Admin
  1234	Admin
  12345	Admin
  123456	Admin
  321	Admin
  4321	Admin
  54321	Admin
  654321	Admin
  (blank)	root
  root	root
  Student	Student
  student	student
  Teacher	Teacher
  teacher	teacher
  Test	Test
  test	test
  User	User
  user	user
  guest	Guest

  
  
  
• NTLIB32.EXE (25,600 bytes) - this is a an application for viewing/managing processes, detected as application PrcView (with application-type detections enabled).
• NTNWSYS.OCX (3,064 bytes) - this is a trojan IRC script, detected as IRC/Flood.cd.
• NTZM32.DLL (44,585 bytes) - this is a trojan IRC script, detected as IRC/Flood.cd. The script contains the following text:
  
  blue-fuzion bot
  blue-fuzion bot crew owns you
  
  
• NWBT32.BAT (1,249 bytes) - this is a trojan batch script for deleting shares, detected as IRC/Flood.cd.
• PCC32.EXE (38,400 bytes) - this is the RemoteProcessLaunch application.
• SMC32.EXE (20,480 bytes) - this is the HideWindow application used to hide the mIRC client GUI.
• TSKDBG.EXE (560,128 bytes) - this is a mIRC client, detected as IRC/Flood.cd.mirc.

Typically, the mIRC client will be installed to run at system startup, via a Registry key. For example:

(where the Registry key name, mIRC client directory, and mIRC client filename may obviously vary.)

Symptoms

Presence of the files described above, in a directory on the infected machine. Unexpected outgoing traffic to remote IRC server (destination port: 6667).

Method of Infection

The trojan is installed via a SFX dropper file, which may itself be received by many vectors (email, download, P2P etc etc).

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Klys (Panda)

Characteristics

Characteristics -

There are multiple versions of this trojan. This description is meant as a guide. Newer variants may require the latest DAT files for detection.

This detection is for an Internet Relat Chat (IRC) bot/DDoS tool. Exact details will vary according to the specific actions desired by the hacker who creates the package, which is delivered via a dropper file.

The main dropper file is approximately 850kB in length. When run, a series of files are dropped into a specific directory on the local disk. In at least one variant received by AVERT, the directory was:

The following list summarises the files that will typically be unpacked into this folder. Note: exact filenames and filesizes may vary.

• BOOTNT.DLL (33,792 bytes) - this is an application for extracting information from the victim machine, detected as application MotherboardMonitor (with application-type detections enabled).
• MSVS32.BAT (2,367 bytes) - this is a trojan batch script which attempts to connect to remote machines (their IPC$ share) using the following username/password combinations:
  
  

  Password	User
  (blank)	Administrator
  (blank)	administrator
  Admin	Administrator
  admin	Administrator
  Administrator	Administrator
  administrator	Administrator
  changeme	Administrator
  abc	Administrator
  abc123	Administrator
  123	Administrator
  1234	Administrator
  12345	Administrator
  123456	Administrator
  321	Administrator
  4321	Administrator
  54321	Administrator
  654321	Administrator
  pass	Administrator
  Pass	Administrator
  password	Administrator
  Password	Administrator
  admin	Admin
  admin	admin
  123	Admin
  1234	Admin
  12345	Admin
  123456	Admin
  321	Admin
  4321	Admin
  54321	Admin
  654321	Admin
  (blank)	root
  root	root
  Student	Student
  student	student
  Teacher	Teacher
  teacher	teacher
  Test	Test
  test	test
  User	User
  user	user
  guest	Guest

  
  
  
• NTLIB32.EXE (25,600 bytes) - this is a an application for viewing/managing processes, detected as application PrcView (with application-type detections enabled).
• NTNWSYS.OCX (3,064 bytes) - this is a trojan IRC script, detected as IRC/Flood.cd.
• NTZM32.DLL (44,585 bytes) - this is a trojan IRC script, detected as IRC/Flood.cd. The script contains the following text:
  
  blue-fuzion bot
  blue-fuzion bot crew owns you
  
  
• NWBT32.BAT (1,249 bytes) - this is a trojan batch script for deleting shares, detected as IRC/Flood.cd.
• PCC32.EXE (38,400 bytes) - this is the RemoteProcessLaunch application.
• SMC32.EXE (20,480 bytes) - this is the HideWindow application used to hide the mIRC client GUI.
• TSKDBG.EXE (560,128 bytes) - this is a mIRC client, detected as IRC/Flood.cd.mirc.

Typically, the mIRC client will be installed to run at system startup, via a Registry key. For example:

(where the Registry key name, mIRC client directory, and mIRC client filename may obviously vary.)

Symptoms

Symptoms -

Presence of the files described above, in a directory on the infected machine. Unexpected outgoing traffic to remote IRC server (destination port: 6667).

Method of Infection

Method of Infection -

The trojan is installed via a SFX dropper file, which may itself be received by many vectors (email, download, P2P etc etc).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A