Content

IRC-Stinx

Type
Trojan
SubType
-
Discovery Date
06/13/2005
Length
29,184 bytes
Minimum DAT
4513 (06/14/2005)
Updated DAT
4607 (10/18/2005)
Minimum Engine
5.1.00
Description Added
06/14/2005
Description Modified
06/14/2005 10:39 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This IRC bot trojan was mass-spammed on June 13, 2005 attached to an email message as follows:

Subject: Fw: Photo approval needed
Body:

Please note: forwarded message attached

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our July edition of Business Review Monthly. Can you check over the format and get back to us with your approval or any changes you would like.

If the photograph is not to your liking then please attach a preferred one. We have attached the photo and article here.

Kind regards,

John Andrews
Dept. Marketing
http://www.FlexiPrint.com


Attachment : photo-approval-needed.zip ( containing photo-approval-needed.scr)

When run, this trojan attempts to connect to two IRC servers on TCP port 6667:

  • 69.31.78.132
  • 69.31.73.179
  • 66.252.2.190
  • irc.skene.net

The trojan allows a remote attacker to download and execute arbitrary programs.

Symptoms

This trojan copies itself to the WINDOWS SYSTEM directory as svcmfte32.exe and creates 2 registry run keys to load itself at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "MainStart" = svcmfte32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "MainStart" = svcmfte32.exe

The trojan uses NETSH to add itself to the Windows Firewall allowed programs list.

Method of Infection

This trojan was mass-spammed as an email attachment.  Manually running the attachment infects the local machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.Win32.IRCBot.br (Kaspersky)
  • Troj/Stinx-A (Sophos)

Characteristics

Characteristics -

This IRC bot trojan was mass-spammed on June 13, 2005 attached to an email message as follows:

Subject: Fw: Photo approval needed
Body:

Please note: forwarded message attached

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our July edition of Business Review Monthly. Can you check over the format and get back to us with your approval or any changes you would like.

If the photograph is not to your liking then please attach a preferred one. We have attached the photo and article here.

Kind regards,

John Andrews
Dept. Marketing
http://www.FlexiPrint.com


Attachment : photo-approval-needed.zip ( containing photo-approval-needed.scr)

When run, this trojan attempts to connect to two IRC servers on TCP port 6667:

  • 69.31.78.132
  • 69.31.73.179
  • 66.252.2.190
  • irc.skene.net

The trojan allows a remote attacker to download and execute arbitrary programs.

Symptoms

Symptoms -

This trojan copies itself to the WINDOWS SYSTEM directory as svcmfte32.exe and creates 2 registry run keys to load itself at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "MainStart" = svcmfte32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "MainStart" = svcmfte32.exe

The trojan uses NETSH to add itself to the Windows Firewall allowed programs list.

Method of Infection

Method of Infection -

This trojan was mass-spammed as an email attachment.  Manually running the attachment infects the local machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A