Follow:

You have been re-routed to the Backdoor:Win32/IRCbot write up because Backdoor%3aWin32%2fIRCbot has been renamed to Backdoor:Win32/IRCbot
 

Backdoor:Win32/IRCbot


Backdoor:Win32/IRCbot is a Trojan that connects to an Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot also includes the ability to send itself to MSN Messenger contacts.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/IRCbot is a Trojan that connects to a remote Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot also includes the ability to send itself to MSN Messenger contacts.
 
Backdoor:Win32/IRCbot may be installed by Backdoor:Win32/IRCbot!8497, a 32-bit PE executable. When the installer is run, it performs the following actions:
  • Drops a file 'syshosts.dll' into the Windows system folder. This file may be detected as Backdoor:Win32/IRCbot!751D.
  • Modifies the registry run this file when Windows is started:
    Adds value: syshosts
    With data: {5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}
    To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    Adds value: @
    With data: syshosts.dll
    To subkey:
    HKEY_CLASSES_ROOT\CLSID\{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}\InProcServer32\
  • Lastly, IRCbot!8497 drops a .ZIP copy of itself into the Windows folder as "photos.zip".
 
When Backdoor:Win32/IRCbot!751D (syshosts.dll) runs, it performs the following actions:
  • Connects to a remote IRC server to receive command instructions
  • Awaits command instructions which could include spreading to other computers using MSN Messenger communication protocol
  • Backdoor:Win32/IRCbot!751D may send a copy of itself to all MSN Messenger contacts, using an attachment named 'photos.zip' and one of the following messages:

    Here are my private pictures for you
    Here are my pictures from my vacation
    My friend took nice photos of me.you Should see em loL!
    its only my photos!
    Nice new photos of me and my friends and stuff and when i was young lol…
    Nice new photos of me!! :p
    Check out my sexy boobs :D
    hey regarde mes tof!! :p
    ma soeur a voulu que tu regarde ca!
    hey regarde les tof, c'est moi et mes copains entrain de.... :D
    j'ai fais pour toi ce photo album tu dois le voire :)
    tu dois voire ces tof
    mes photos chaudes :D
    c'est seulement mes tof :p
    zijn enige mijn foto's
    wanna Hey ziet mijn nieuw fotoalbum?
    indigde enkel nieuw fotoalbum! :)
    hey keurt mijn nieuw fotoalbum goed.. :p
    Hey be
    indigde enkel nieuw fotoalbum! :)
    het voor yah, doend beeldverhaal van mijn leven lol..
    meine hei
    en Fotos ! :p
    meine hei
    le mie foto calde :p
    mis fotos calientes
    mi fotograf
    as :p
    Mi amigo tom
    las fotos agradables de m
    mis fotos calientes
    el lol mi hermana quisiera que le enviara este
    album de foto

Symptoms

The following symptoms may be indicative of a Backdoor:Win32/IRCbot!751D infection:
  • Presence of the file "syshosts.dll" in the Windows system folder
  • Presence of the file "photos.zip" in the Windows folder
  • Presence of the following registry keys and values:
    HKEY_CLASSES_ROOT\CLSID\{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}\InProcServer32\
    "@" = syshosts.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "syshosts" = "{5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.185.3646.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Aug 22, 2007
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor:Win32/IRCbot!8497 (Microsoft)
  • Win32/Checkout.A (CA)
  • Backdoor.Win32.IRCBot.aaq (Kaspersky)
  • W32/Checkout (McAfee)
  • W32/IRCBot-WB (Sophos)
  • W32.Mubla (Symantec)