Content

W32/IRCbot!DF6280E5

Type
Virus
SubType
Internet Relay Chat
Discovery Date
07/31/2007
Length
102,400
Minimum DAT
5089 (08/02/2007)
Updated DAT
5089 (08/02/2007)
Minimum Engine
5.1.00
Description Added
07/31/2007
Description Modified
07/31/2007 10:18 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/IRCbot.gen!df6280e5 has the following attributes:

File size: 102,400 bytes
MD5: 6F34582340CE868152138D955BB28EB9
CRC32: DF6280E5

Upon execution, it copies itself to the following location.

  • C:\RECYCLER\nvscvse.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Net Command Senter" = C:\RECYCLER\nvscvse.exe

It injects itself into the process of "explorer.exe" and attempts to connect the following sites.

https.[removed].COM
69.[removed].253.16

The bot has the following capabilities:

  • download/upload files
  • run files
  • email relay
  • run IRC commands

Symptoms

  • Presence of the files or registry elements previously mentioned
  • Unexpected network communication to the mentioned hosts

Method of Infection

Propagation methods appear to include email, SMB networking, instant messaging (Yahoo, AIM, ICQ, MSN), weak password exploitation (including SQL) and possibly others.  Infection could also be achieved through download and execution by other malware.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a description of a specific sample variant of W32/IRCbot.gen and is detected under the unqualified name.

Aliases

  • Backdoor.Win32.Agent.aox (Kaspersky)
  • Backdoor.Win32.IRCbot.z (Rising)

Characteristics

Characteristics -

W32/IRCbot.gen!df6280e5 has the following attributes:

File size: 102,400 bytes
MD5: 6F34582340CE868152138D955BB28EB9
CRC32: DF6280E5

Upon execution, it copies itself to the following location.

  • C:\RECYCLER\nvscvse.exe

It also adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Net Command Senter" = C:\RECYCLER\nvscvse.exe

It injects itself into the process of "explorer.exe" and attempts to connect the following sites.

https.[removed].COM
69.[removed].253.16

The bot has the following capabilities:

  • download/upload files
  • run files
  • email relay
  • run IRC commands

Symptoms

Symptoms -

  • Presence of the files or registry elements previously mentioned
  • Unexpected network communication to the mentioned hosts

Method of Infection

Method of Infection -

Propagation methods appear to include email, SMB networking, instant messaging (Yahoo, AIM, ICQ, MSN), weak password exploitation (including SQL) and possibly others.  Infection could also be achieved through download and execution by other malware.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A