Content
IRC/Flood.dr
- Type
- Trojan
- SubType
- Dropper
- Discovery Date
- 08/15/2006
- Length
- varies
- Minimum DAT
- N/A (06/04/2009)
- Updated DAT
- 5636 (06/04/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 08/15/2006
- Description Modified
- 09/11/2008 5:45 PM (PT)
Tab Navigation
Characteristics
This detection is for a package that dropps a IRC/Flood trojan. Typically these packages include custom mIRC scripts that are designed to join IRC channels, attack remote systems, provide information about the infected system to an IRC user, etc.
- Contains its own SMTP engine for constructing messages
- Spoofs the From: address using the value postcards@hallmark.com
- Sent messages contain the subject: You've received A Hallmark E-Card!
- Attempts to propagate through popular P2P networks by copying itself to popular P2P software shared directories using the following filenames:
- absolute video converter 3.07.exe
- acker dvd ripper 2008.exe
- adobe acrobat reader keygen.exe
- adobe soundbooth cs3.exe
- anti-trojan elite v4.01.exe
- aol password cracker.exe
- ashampoo powerup v3.10.exe
- bitdefender antivirus 2008 keygen.exe
- boilsoft dvd ripper 2.82.exe
- canvas security framework 2008 limited with 50 0day.exe
- cleanmypc registry cleaner v4.02.exe
- daemon tools pro 4.10.218.0.exe
- divx 5.0 pro keygen.exe
- download boost 2.0.exe
- email spider.exe
- error doctor 2008.exe
- google adsense clicking bot.sfx.exe
- Hotmail account bruteforcer bot.exe
- Hotmail spammer bot.exe
- Icepack IDT Gold edition 2008 LEAKED.exe
- Microsoft Visual Basic KeyGen.exe
- Microsoft Visual C++ KeyGen.exe
- Microsoft Visual Studio KeyGen.exe
- Mirc Keygen.exe
- Norton Anti-Virus 2008 Enterprise Crack.exe
- Password Cracker.exe
- PC Secuity Tweaker 7.6.exe
- ProRat 2.0 Special Edition.exe
- Shadow Security Scanner 10 Gold.exe
- Sophos antivirus updater bypass.exe
- Super Utilities Pro 2008 8.0.1980.exe
- SuperRam 5.1.28.2008.exe
- Tarantula Full version CRACKED by RaZoR.exe
- TCN ISO cable modem hacking tools.exe
- TCN ISO SigmaX2 firmware.bin.exe
- VmWare ESX GSX server keygen.exe
- VmWare keygen.exe
- VMware Workstation 6 Windows keygen.exe
- Windows 2003 Advanced Server KeyGen.exe
- Wow Glider incl serial.SFX.exe
- Youtube Music Downloader 1.0.exe
- YZdock Machintos osX like toolbar for windows.exe
- The following Registry keys are added:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
F-Secure Gatekeeper="[Random Name].exe"
Symptoms
- Existence of the files and Registry keys detailed here.
- Copies of the worm with the enticing filenames used for P2P propagation.
- A garbage text file is opened and displayed in Notepad
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This detection is for a package that dropps a IRC/Flood trojan. Typically these packages include custom mIRC scripts that are designed to join IRC channels, attack remote systems, provide information about the infected system to an IRC user, etc.
- Contains its own SMTP engine for constructing messages
- Spoofs the From: address using the value postcards@hallmark.com
- Sent messages contain the subject: You've received A Hallmark E-Card!
- Attempts to propagate through popular P2P networks by copying itself to popular P2P software shared directories using the following filenames:
- absolute video converter 3.07.exe
- acker dvd ripper 2008.exe
- adobe acrobat reader keygen.exe
- adobe soundbooth cs3.exe
- anti-trojan elite v4.01.exe
- aol password cracker.exe
- ashampoo powerup v3.10.exe
- bitdefender antivirus 2008 keygen.exe
- boilsoft dvd ripper 2.82.exe
- canvas security framework 2008 limited with 50 0day.exe
- cleanmypc registry cleaner v4.02.exe
- daemon tools pro 4.10.218.0.exe
- divx 5.0 pro keygen.exe
- download boost 2.0.exe
- email spider.exe
- error doctor 2008.exe
- google adsense clicking bot.sfx.exe
- Hotmail account bruteforcer bot.exe
- Hotmail spammer bot.exe
- Icepack IDT Gold edition 2008 LEAKED.exe
- Microsoft Visual Basic KeyGen.exe
- Microsoft Visual C++ KeyGen.exe
- Microsoft Visual Studio KeyGen.exe
- Mirc Keygen.exe
- Norton Anti-Virus 2008 Enterprise Crack.exe
- Password Cracker.exe
- PC Secuity Tweaker 7.6.exe
- ProRat 2.0 Special Edition.exe
- Shadow Security Scanner 10 Gold.exe
- Sophos antivirus updater bypass.exe
- Super Utilities Pro 2008 8.0.1980.exe
- SuperRam 5.1.28.2008.exe
- Tarantula Full version CRACKED by RaZoR.exe
- TCN ISO cable modem hacking tools.exe
- TCN ISO SigmaX2 firmware.bin.exe
- VmWare ESX GSX server keygen.exe
- VmWare keygen.exe
- VMware Workstation 6 Windows keygen.exe
- Windows 2003 Advanced Server KeyGen.exe
- Wow Glider incl serial.SFX.exe
- Youtube Music Downloader 1.0.exe
- YZdock Machintos osX like toolbar for windows.exe
- The following Registry keys are added:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
F-Secure Gatekeeper="[Random Name].exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
F-Secure Gatekeeper="[Random Name].exe"
Symptoms
Symptoms -
- Existence of the files and Registry keys detailed here.
- Copies of the worm with the enticing filenames used for P2P propagation.
- A garbage text file is opened and displayed in Notepad
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
