McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is an IRC based distributed denial of service client. It connects to a hardcoded list of servers and accepts commands via a specific IRC channel.

Each client is identified by a nickname so it is possible for the attacker to issue commands to a specific client, to a group of clients or broadcast to all clients connected to the specified servers. It is able to execute various commands transmitted through the IRC channel:

• PUSH+ACK flooder
• SYN flooderUDP flooder
• non-spoof udp flooder
• Downloads files off the web
• Sends commands to the irc server
• Executes commands on the target

Note: A variant of this trojan is carried by the Slapper worm. This variant tries to connect to the IRC server irc.zyclonicz.net channel #devnull.

Symptoms

Computer connected to this IRC channel.

Method of Infection

It is installed by a variant of Linux/Slapper, which itself is installed by an OpenSSL exploit.

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is an IRC based distributed denial of service client. It connects to a hardcoded list of servers and accepts commands via a specific IRC channel.

Each client is identified by a nickname so it is possible for the attacker to issue commands to a specific client, to a group of clients or broadcast to all clients connected to the specified servers. It is able to execute various commands transmitted through the IRC channel:

• PUSH+ACK flooder
• SYN flooderUDP flooder
• non-spoof udp flooder
• Downloads files off the web
• Sends commands to the irc server
• Executes commands on the target

Note: A variant of this trojan is carried by the Slapper worm. This variant tries to connect to the IRC server irc.zyclonicz.net channel #devnull.

Symptoms

Symptoms -

Computer connected to this IRC channel.

Method of Infection

Method of Infection -

It is installed by a variant of Linux/Slapper, which itself is installed by an OpenSSL exploit.

Removal -

Removal -

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants -

N/A