Threat behavior
Backdoor:Win32/IRCbot is a Trojan that connects to a remote Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot also includes the ability to send itself to MSN Messenger contacts.
Backdoor:Win32/IRCbot may be installed by Backdoor:Win32/IRCbot!8497, a 32-bit PE executable. When the installer is run, it performs the following actions:
- Drops a file 'syshosts.dll' into the Windows system folder. This file may be detected as Backdoor:Win32/IRCbot!751D.
- Modifies the registry run this file when Windows is started:
Adds value: syshosts
With data: {5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Adds value: @
With data: syshosts.dll
To subkey:
HKEY_CLASSES_ROOT\CLSID\{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}\InProcServer32\
- Lastly, IRCbot!8497 drops a .ZIP copy of itself into the Windows folder as "photos.zip".
When Backdoor:Win32/IRCbot!751D (syshosts.dll) runs, it performs the following actions:
- Connects to a remote IRC server to receive command instructions
- Awaits command instructions which could include spreading to other computers using MSN Messenger communication protocol
- Backdoor:Win32/IRCbot!751D may send a copy of itself to all MSN Messenger contacts, using an attachment named 'photos.zip' and one of the following messages:
Here are my private pictures for you
Here are my pictures from my vacation
My friend took nice photos of me.you Should see em loL!
its only my photos!
Nice new photos of me and my friends and stuff and when i was young lol…
Nice new photos of me!! :p
Check out my sexy boobs :D
hey regarde mes tof!! :p
ma soeur a voulu que tu regarde ca!
hey regarde les tof, c'est moi et mes copains entrain de.... :D
j'ai fais pour toi ce photo album tu dois le voire :)
tu dois voire ces tof
mes photos chaudes :D
c'est seulement mes tof :p
zijn enige mijn foto's
wanna Hey ziet mijn nieuw fotoalbum?
indigde enkel nieuw fotoalbum! :)
hey keurt mijn nieuw fotoalbum goed.. :p
Hey be
indigde enkel nieuw fotoalbum! :)
het voor yah, doend beeldverhaal van mijn leven lol..
meine hei
en Fotos ! :p
meine hei
le mie foto calde :p
mis fotos calientes
mi fotograf
as :p
Mi amigo tom
las fotos agradables de m
mis fotos calientes
el lol mi hermana quisiera que le enviara este
album de foto
Prevention
