Backdoor:Win32/IRCbot.gen!K is a generic detection for a family of IRC-controlled backdoor trojans. These may perform certain activities when commanded to do so by a remote attacker, such as downloading and executing arbitrary files and collecting system information.
Installation
When executed, malware detected as Backdoor:Win32/IRCbot.gen!K typically copies itself to the '%windir%' directory or one of its subdirectories, such as '<system folder>' or '%windir%\system'. It also generally performs activities to ensure that it will run upon system startup. For example, it may register itself as a service, or create a registry entry under a subkey such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run pointing to the location of the malware.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
For example, one sample copies itself to '%windir%\system\wmisync.exe' and registers itself as a service with a Display Name of "Wmi Sync Manager".
Another sample copies itself to '<system folder>\klass.exe' and creates the following registry entries:
Adds value: "Windows Service Agent"
With data: "klass.exe"
To subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via...
Malware detected as Backdoor:Win32/IRCbot.gen!K typically attempt to spread to other systems on the network when commanded to do so by the remote attacker. It may spread via weak passwords and software vulnerabilities in unpatched systems.
Other variants may also spread via instant messaging programs, or by copying themselves to removable drives.
Payload
Backdoor Functionality
Once installed, Backdoor:Win32/IRCbot.gen!K connects to an IRC server with a specified location and port, for example:
- sec.republicofskorea.info via port 8082
- efnet.no-ip.org via port 230
It then awaits commands from a remote attacker. These commands may include (but are not be limited to) some of the following:
- Download and execute arbitrary files
- Update itself
- Start or stop spreading
- Collect system information
- Run various servers on the system
- Send email or instant messages
- Participate in Distributed Denial of Service (DDoS) attacks
Additional Information
Malware detected as Backdoor:Win32/IRCbot.gen!K may also be detected as malware belonging to the following families:
Analysis by David Wood