Threat behavior
Backdoor:IRC/WinBot often arrives in email disguised as a greeting card. Those who follow the link to download the card will actually be downloading a copy of the Trojan. When run, Backdoor:IRC/WinBot does the following:
- Drops the following files in %windir%\system folder:
fullname.txt
ident.txt
nicks.txt
aliases.ini
control.ini
mirc.ini
remote.ini
script.ini
servers.ini
users.ini
sup.bat
svchost.exe (may be infected with the Win32/Parite virus)
mirc.ico
sup.reg
popups.txt
Note: %windir% signifies the name of the Windows folder. By default, on Windows Vista, XP, ME, 98 and 95, this is C:\Windows. On Windows NT/2000, the default folder is C:\Winnt.
download
logs
sounds
- Modifies the registry to load the dropped svchost.exe file each time Windows is started:
Adds value: GNP Generic Host Process
With data: %windir%\system\svchost.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Modifies the following registry entries:
Set "VoiceEnabled" = "1" under key HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
Set "(default)" = "1174867138", under key HKEY_CURRENT_USER\Software\mIRC\DateUsed
Set "DisplayName" = "mirc", under key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.cha
Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.chat
Set "(default)" = "chat file", under key HKLM\SOFTWARE\Classes\ChatFile
Set "(default)" = ""%windir%\system\svchost.exe"", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
Set "(default)" = "svchost", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
Set "(default)" = "connect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
Set "(default)" = "url:irc protocol", under key HKEY_LOCAL_MACHINE\Software\Classes\irc
Set "(default)" = ""%windir%\system\svchost.exe"", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
Set "(default)" = "svchost", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application
Set "(default)" = "%1", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec
Set "(default)" = "connect", under key HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic
- Opens and listens on TCP port 113 and UDP port 30167
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
