Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/IRCbot

Published: May 6, 2009

Win32/IRCbot is a large family of backdoor Trojans that targets computers running Microsoft Windows. The Trojan drops other malicious software and opens a backdoor on the infected computer to connect to IRC servers. The Trojan can maintain multiple IRC server connections simultaneously to receive commands from attackers.

**

Related Links

Removal Tools - Microsoft

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Payload InformationPayload Information

Threat Overview

Class/typeTrojan - Backdoor
DiscoveredMay 1, 2004
CirculatingYes
Affected operating systemsWindows NT 3.x
Windows NT 4.0
Windows 95
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
Affected software Not specified
Infection ratingMedium
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingMedium

Technical Analysis

Win32/IRCbot takes the following actions:
  • Creates a copy of itself on the infected computer. The location and name of the dropped file varies. The Trojan also adds a value and data to an autostart registry key such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the Trojan runs automatically each time Windows starts. For example, one particular variant of Win32/IRCbot creates a copy of itself at %windir%\mwoffice.exe and adds value "Windows Update Controller" with data "%windir%\mwoffice.exe" to this autostart registry key.
  • Drops other malicious software, such as variants of:
    •  Win32/Rbot
    •  Win32/Sdbot
    •  TrojanDownloader:Win32/Small
    •  TrojanProxy:Win32/Ranky
    •  TrojanSpy:Win32/Haxspy
    •  Trojan:Win32/Hooker
    •  Worm:Win32/Codbot
    •  WinNT/FURootkit
  • Opens a backdoor in order to connect to certain IRC servers. The Trojan then joins specified IRC channels to receive attacker commands to perform operations such as the following:
    • Download and run other malicious software
    • Release information, such as system information and directory and file listings
    • Conduct denial of service attacks

How to Prevent Infection

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Highlight a connection that you want to help protect, and click Change settings of this connection.
  4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
  3. Click System.
  4. Click Automatic Updates, and select Keep my computer up to date.
  5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
  6. If you choose in step 5 to be notified of the availability of Automatic Updates, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, it is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

How to Tell If Your Computer Is Infected

There are no readily apparent indications of infection by Win32/IRCbot. The name of the Trojan file copy and corresponding registry settings may differ according to the particular variant of Win32/IRCbot.

How to Recover from Infection

Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:

Payload Information

Payload typeTriggerDescription
Creates files
Execution
Drops a copy of itself. The location and name of the dropped file varies.
Compromises Security
Execution
  • Opens a backdoor to connect to IRC servers and receive attacker commands.
  • Drops other malicious software.
Release information
Execution
Releases information such as system information and directory and file listings.

© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement