Content
IRC-Contact
- Type
- Trojan
- SubType
- Internet Relay Chat
- Discovery Date
- 04/04/2005
- Length
- 106,381 Bytes
- Minimum DAT
- N/A (03/19/2009)
- Updated DAT
- 5558 (03/19/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 04/20/2004
- Description Modified
- 06/21/2006 2:19 AM (PT)
Tab Navigation
Characteristics
The Bot component of IRC-Contact provides an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine:
- Retrieve system information
- Connect to download files from the URLs
- Execute programs remotely
- Start and stop services
- Perform DDOS
- Uninstall the bot
Once running, the bot component connects to a predefined IRC server and channel on a predefined port, awaiting commands from the attacker.
Symptoms
When the bot component is executed, IRC-Contact drops the following files:
- %System%\Pathname.exe
- %System%\Pathname.dll
In an attempt to make the dropped files harder to find, the files may have their attributes changed to hidden and system.
The following Registry entries are modified, so the Trojan runs on startup:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run "pathname"
Data: %system%\Pathname.exe
Note: %System% is a variable location and refers to the windows system directory.
Method of Infection
IRC-Contact doesn’t self-replicate. It spreads manually, often under the premise that the executable is something beneficial.
It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
IRC-Contact is an IRC controlled backdoor, which consists of a bot component and a bot editor component. This description is for the bot component of IRC-Contact.
Aliases
- Backdoor.IrcContact - Symantec
- Backdoor.Win32.IrcContact.30 - Kaspersky
- Win32.Coiboa.G - Pest Patrol
- Win32/Contact.C - CA eTrust
Characteristics
Characteristics -
The Bot component of IRC-Contact provides an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine:
- Retrieve system information
- Connect to download files from the URLs
- Execute programs remotely
- Start and stop services
- Perform DDOS
- Uninstall the bot
Once running, the bot component connects to a predefined IRC server and channel on a predefined port, awaiting commands from the attacker.
Symptoms
Symptoms -
When the bot component is executed, IRC-Contact drops the following files:
- %System%\Pathname.exe
- %System%\Pathname.dll
In an attempt to make the dropped files harder to find, the files may have their attributes changed to hidden and system.
The following Registry entries are modified, so the Trojan runs on startup:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run "pathname"
Data: %system%\Pathname.exe
Note: %System% is a variable location and refers to the windows system directory.
Method of Infection
Method of Infection -
IRC-Contact doesn’t self-replicate. It spreads manually, often under the premise that the executable is something beneficial.
It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
