Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Jun 01, 2007 | Updated Aug 22, 2017

Backdoor:Win32/IRCbot!8497

Detected by Microsoft Defender Antivirus

Aliases: Win32/Checkout.A (CA) Backdoor.Win32.IRCBot.aaq (Kaspersky) W32/Checkout (McAfee) Backdoor:Win32/IRCbot!751D (Microsoft) W32/IRCBot-WB (Sophos) VIPRE.Suspicious (Sunbelt Software) W32.Mubla (Symantec)

Summary

Backdoor:Win32/IRCBot!8497 is the installer component of the Backdoor:Win32/IRCBot!751D Trojan. Backdoor:Win32/IRCbot!751D is a Trojan that connects to an Internet Relay Chat (IRC) server and provides attackers with remote access to the infected system. Commands that can be remotely executed include downloading and executing files. Backdoor:Win32/IRCbot!751D also includes the ability to send itself to MSN Messenger contacts.
To recover manually from infection by Backdoor:Win32/IRCbot!8497, perform the following steps:
  • Disconnect from the Internet.
  • Delete the Trojan registry entries.
  • Restart the computer. 
  • Delete the Trojan files from your computer.
  • Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Delete the Trojan registry entry

To delete the Trojan registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CLASSES_ROOT\CLSID\
  4. Click Edit and click Find.
  5. Type syshosts.dll and press Enter.
  6. In the right pane, right-click the related CLSID value such as {5A2670F7-6E8B-4A4D-A71F-9B71A86EEFD6}.
  7. Click Delete and click Yes to delete the value.
  8. In the left pane, navigate to the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
  9. In the right pane, right-click the following value, if it exists: syshosts
  10. Click Delete and click Yes to delete the value.
  11. Close the Registry Editor.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Delete the Trojan files from your computer

To delete the Trojan files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type %WinDir%.
  3. Click OK.
  4. Click View, and Details.
  5. Click Name to sort files by name.
  6. Delete photos.zip from the Windows folder.
  7. In the Address field, type %WinDir%\System32, and press Enter.
  8. Click View, and Details.
  9. Click Name to sort files by name.
  10. Delete syshosts.dll from the Windows system folder.
  11. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  12. Click Yes to confirm the deletion.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us