McAfee > Theat Center > Virus Detail Page

Overview

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Aliases

• Backdoor.IRC.Bot (Symantec)

• BackDoor.Ircbot (GriSoft)

• Backdoor.Win32.IRCBot (Kaspersky)

Characteristics

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spim or install further malware.

Upon execution, it drops a copy of the bot into currently logged on user's temp directory.

%Temp%\svcghost.exe

Also, drops the following non-malicious files as part of its installation routine.

image.jpg
temp_.txt

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Master = "%Temp%\svcghost.exe

Symptoms

Connects to the following websites to further download malicious files:

• http://www.{BLOCKED}ight.com/wz.exe
• http://{BLOCKED}.a1423.wrs.mcboo.com/17pholmes.cmt

Add itself to the built-in windows firewall trusted application list to hide suspicious network traffic on the infected machine via the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

%Temp%\svcghost.exe="%User Temp%\svcghost.exe:*:Enabled:Master"

W32/IrcBot worm attempts to join the following IRC server and waits for instructions.

• IRC Server: elena.ccpower.ru
• Channel: #.nigger
• Port: 4873
  
  Once the bot connects to the IRC server, a remote attacker can use the bot spam copies of itself on instant messenger. With complete control over the compromised computer, a remote attacker can use it to executer malicious commands.

Method of Infection

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Aliases

• Backdoor.IRC.Bot (Symantec)

• BackDoor.Ircbot (GriSoft)

• Backdoor.Win32.IRCBot (Kaspersky)

Characteristics

Characteristics -

W32/IrcBot is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spim or install further malware.

Upon execution, it drops a copy of the bot into currently logged on user's temp directory.

%Temp%\svcghost.exe

Also, drops the following non-malicious files as part of its installation routine.

image.jpg
temp_.txt

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Master = "%Temp%\svcghost.exe

Symptoms

Symptoms -

Connects to the following websites to further download malicious files:

• http://www.{BLOCKED}ight.com/wz.exe
• http://{BLOCKED}.a1423.wrs.mcboo.com/17pholmes.cmt

Add itself to the built-in windows firewall trusted application list to hide suspicious network traffic on the infected machine via the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

%Temp%\svcghost.exe="%User Temp%\svcghost.exe:*:Enabled:Master"

W32/IrcBot worm attempts to join the following IRC server and waits for instructions.

• IRC Server: elena.ccpower.ru
• Channel: #.nigger
• Port: 4873
  
  Once the bot connects to the IRC server, a remote attacker can use the bot spam copies of itself on instant messenger. With complete control over the compromised computer, a remote attacker can use it to executer malicious commands.

Method of Infection

Method of Infection -

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A