Follow:

 

Win32/IRCbot


Microsoft security software detects and removes this family of threats.
 
This family of backdoor trojans can download and install other malware on your PC. They can also give a malicious hacker access and control of your PC.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/IRCbot takes the following actions:
  • Creates a copy of itself on the infected computer. The location and name of the dropped file varies. The Trojan also adds a value and data to an autostart registry key such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the Trojan runs automatically each time Windows starts. For example, one particular variant of Win32/IRCbot creates a copy of itself at %windir%\mwoffice.exe and adds value "Windows Update Controller" with data "%windir%\mwoffice.exe" to this autostart registry key.
  • Drops other malicious software, such as variants of:
    •  Win32/Rbot
    •  Win32/Sdbot
    •  TrojanDownloader:Win32/Small
    •  TrojanProxy:Win32/Ranky
    •  TrojanSpy:Win32/Haxspy
    •  Trojan:Win32/Hooker
    •  Worm:Win32/Codbot
    •  WinNT/FURootkit
  • Opens a backdoor in order to connect to certain IRC servers. The Trojan then joins specified IRC channels to receive attacker commands to perform operations such as the following:
    • Download and run other malicious software
    • Release information, such as system information and directory and file listings
    • Conduct denial of service attacks

Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: High
This entry was first published on: Nov 08, 2005
This entry was updated on: May 13, 2014

This threat is also detected as:
No known aliases