Follow:

You have been re-routed to the Backdoor:Win32/IRCbot.DL write up because Backdoor%3aWin32%2fIRCbot.DL has been renamed to Backdoor:Win32/IRCbot.DL
 

Backdoor:Win32/IRCbot.DL


Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.
Installation
Backdoor:Win32/IRCbot.DL is typically installed as a hidden file to the %appdata%\Microsoft folder. It may use file names such as the following:
 
win32bit.exe
desktop.exe
balls.exe
winlog.exe
audio service.exe
windows.exe
scvhost.exe
slideshow.exe
csrss.exe
abodeg.exe
 
Note - %appdata% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %appdata% folder for Windows XP is C:\Documents and Settings\<user>\Application Data; and for Vista, and Windows 7 is C:\Users\<user>\AppData\Roaming.
 
It then launches the new copy.
 
It creates the following registry entry to ensure that it is launched upon system startup:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <file name>
With data: “%appdata%\Microsoft\<filename>”
 
For example:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe
 
It uses a mutex such as “3OoG0LGF%@\xo1I” to ensure that no more than one copy can run at a time.
Spreads via…
Removable drives
Some (but not all) variants periodically check whether removable drives are attached, and if so copy themselves as a hidden file to the root folder of the drive, using the same filename as above. They also place a hidden autorun.inf file in the root folder of the drive, in order to attempt to run the malware when the drive is attached to another system.
 
Once it has done so, the malware reports which drives were infected to the backdoor server (see below).
Payload
Allows backdoor access and control
The malware connects to a remote server, often on one of ports 3085, 3174, 3176, or 3178, and sends various system information including:
  • User name
  • Computer name
  • Processor type and speed
  • Operating System Version
  • System locale
 
Examples of servers used at the time of publication include:
 
ry4n.no-ip.info
f8l.no-ip.info
J1Z.no-ip.info
m3tu55.redirectme.net
e9w.no-ip.biz
travy.no-ip.info
drones23.no-ip.org
filter55.webhop.info
secure-connection.serveftp.com
prodigy3.dyndns.info
 
The backdoor’s controller may issue the following commands:
  • Download and execute arbitrary files
  • Update itself
  • Start or stop SYN or UDP based DDoS attacks
  • Send application privileges (Administrator or restricted) and system uptime
  • List running processes
  • Terminate processes
  • List titles and details of open windows
  • Display a message box
  • Stop running
  • Uninstall itself
  • Steal Mozilla Firefox password details
 
Analysis by David Wood

Symptoms

System changes
The following system changes may indicate the presence of this malware:

Presence of the following file/s:
%appdata%\Microsoft\win32bit.exe
%appdata%\Microsoft\desktop.exe
%appdata%\Microsoft\balls.exe
%appdata%\Microsoft\winlog.exe
%appdata%\Microsoft\audio service.exe
%appdata%\Microsoft\windows.exe
%appdata%\Microsoft\scvhost.exe
%appdata%\Microsoft\slideshow.exe
%appdata%\Microsoft\csrss.exe
%appdata%\Microsoft\abodeg.exe
 
The presence of the following registry modifications or similar:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <filename>
With data: “%appdata%\Microsoft\<filename>”
 
For example:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe

Prevention


Alert level: Severe
First detected by definition: 1.71.833.0
Latest detected by definition: 1.185.1828.0 and higher
First detected on: Dec 14, 2009
This entry was first published on: Mar 01, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Autorun.worm.aae (McAfee)
  • WORM_AUTORUN.EWS (Trend Micro)
  • Worm.Win32.AutoRun.atdx (Kaspersky)
  • W32.SillyFDC (Symantec)