Threat behavior
Backdoor:Win32/IRCbot.gen!M is a generic detection for a backdoor trojan that allows unauthorized access and control of an affected computer. It connects to a remote IRC server in order to receive commands from an attacker.
Installation
When executed the malware usually copies itself to another location. The filename used by the malware is variable, for example we observed the malware copying itself to the following locations:
<system folder>\dllcache\isass.exe
<system folder>\dllcache\winmdfy.exe
<system folder>\dllcache\qxchost.exe
Backdoor:Win32/IRCbot.gen!M then executes that copy and may drop and execute a batch file that deletes its original executable.
Note that the malware may also modify the system to run itself as a service.
Spreads via
Exploit
Backdoor:Win32/IRCbot.gen!M may attempt to spread by exploiting particular vulnerabilities in remote computers.
Weak passwords
The malware contains a list of weak passwords that it uses in order to attempt to get access to administrator accounts on a remote computers running SQL Server.
Instant Messaging
The malware checks if the following Instant Messaging clients are running:
-
MSN Messenger
-
ICQ
-
Yahoo Messenger
If found the malware then clicks the relevant buttons to send links of itself to entries in the contact list.
Note that the link that is sent is provided via a backdoor command.
Payload
Allows backdoor access and control
When executed the malware connects to a remote IRC server and joins a particular channel in order to receive commands from a remote attacker.
The remote attacker can command the malware to perform a list of tasks such as the following:
-
Connect to a different IRC server or channel
-
Steal passwords from protected storage
-
Start / stop spreading via exploit and weak passwords
-
Start / stop spreading via Instant Messaging
-
Provide statistics on the number of successfully exploited hosts
-
Download and execute arbitrary files
-
Update to a new copy of the malware
-
Uninstall itself
-
Perform a Denial of Service attack on a remote host
-
Run a SOCKS4 proxy on an infected machine
-
Stop the currently executing malware process
Analysis by Ray Roberts
Prevention