McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• LiteBot

Characteristics

This IRC Bot trojan was mass-spammed on August 6, 2005 attached to a message as follows:

The purpose of this trojan is to connect to a remote IRC server and wait for instructions to download and execute another file.

Symptoms

When run, a trojan dropper, creates a file begonia.exe in the WINDOWS SYSTEM directory and creates a registry run key to load itself at system startup, such as:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Litebot" = C:\WINDOWS\System32\begonia.exe

The trojan attempts to connect to the IRC server sluts.skene.net or irc.skene.net on TCP port 6667.

Method of Infection

This trojan may be proactively detected as New Malware.n with the released DAT files when scanning with program heuristics enable via server and on-demand scanners.  The IRC traffic related with this threat is blocked by default Access Protection rules with the VirusScan 8.0i product.

This trojan was seeded via a mass-spamming.  Unlike viruses, trojans do not self-replicate.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• LiteBot

Characteristics

Characteristics -

This IRC Bot trojan was mass-spammed on August 6, 2005 attached to a message as follows:

The purpose of this trojan is to connect to a remote IRC server and wait for instructions to download and execute another file.

Symptoms

Symptoms -

When run, a trojan dropper, creates a file begonia.exe in the WINDOWS SYSTEM directory and creates a registry run key to load itself at system startup, such as:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Litebot" = C:\WINDOWS\System32\begonia.exe

The trojan attempts to connect to the IRC server sluts.skene.net or irc.skene.net on TCP port 6667.

Method of Infection

Method of Infection -

This trojan may be proactively detected as New Malware.n with the released DAT files when scanning with program heuristics enable via server and on-demand scanners.  The IRC traffic related with this threat is blocked by default Access Protection rules with the VirusScan 8.0i product.

This trojan was seeded via a mass-spamming.  Unlike viruses, trojans do not self-replicate.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A