Backdoor:Win32/IRCbot.BH is a generic detection for a backdoor trojan that connects to an IRC server to receive commands from an attacker. This trojan contains code that exploits vulnerable Windows computers that have not applied
Security Bulletin MS08-067.
Installation
When executed, Win32/IRCbot.BH copies itself to the "Program Files" folder as an executable. In the wild, this trojan has used the following file names:
mediaavi.exe
msgaurd.exe
soundmax.exe
The registry is then modified to run the dropped copy at each Windows start, however, the key values and data may differ among variants of this trojan, as shown in the examples below:
Adds value: "MS Gaurd Driver"
With data: "%ProgramFiles%\msgaurd.exe"
Adds value: "SoundMAX Driver"
With data: "%ProgramFiles%\soundmax.exe"
Adds value: "MediaAVI Driver"
With data: "%ProgramFiles%\mediaavi.exe"
To subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
While executing, the trojan remains resident in memory and connects to a predefined remote IRC server and awaits commands from an attacker. Commands could include sending the trojan to other computers in a worm-like manner using hard-coded exploits.
Payload
Bypasses Windows Firewall
Win32/IRCbot.BH modifies the registry to add the trojan to the Windows Firewall authorized applications list:
Adds value: "<Win32/IRCbot.BH path and filename>"
With data: "enabled:soundmax driver:*:<Win32/IRCbot.BH path and filename>"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Backdoor Functionality: Port 6556/ Spreads Via Explot
This trojan attempts to connect to a predefined remote IRC server named '0x90.devtech.us'. The connection is made using TCP port 6556 where upon connection, the trojan joins a preselected channel and awaits commands from an attacker. Using this backdoor, the attacker can order IRCbot.BH to attempt to spread.
If the vulnerability is successfully exploited, Win32/IRCbot.BH instructs the target computer to download and execute a copy of itself from the attacking computer.
Retrieves Potentially Sensitive Data
Win32/IRCbot.BH could be instructed to retrieve data from the clipboard and save it allowing an attacker to obtain potentially sensitive data.
Additional Information
This trojan contains the following strings which may vary among variants:
Purple 0.1c
#Purple-Exploit#
Analysis by Chris Jones & Patrick Nolan
