Backdoor:Win32/IRCbot.gen!T is a generic detection which may detect several variants of families of IRC-controlled backdoors. These malware allow unauthorized access and control of an affected computer and may be used to perform certain activities when commanded to do so by the backdoor’s controller, such as downloading and executing arbitrary files, or collecting system information.
Variants of the following families of malware may be detected with this name:
Please see the related family or example variant descriptions elsewhere in this encyclopedia for more detailed information on these threats.
Installation
When executed, malware detected as Backdoor:Win32/IRCbot.gen!T typically copies itself using a filename that differs according to variant to the %windir% directory or one of its subdirectories, such as the <system folder>. It also generally makes additional system changes to ensure that it runs upon system startup. For example, it may create a registry entry under a location such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run pointing to a copy of the malware.
For example, one variant copies itself to %windir%\mslsrv32.exe" and makes the following registry modifications:
Sets value: "Microsoft Driver Setup"
With data: "%windir%\mslsrv32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Driver Setup"
With data: "%windir%\mslsrv32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Spreads via…
Variable methods
Malware detected as Backdoor:Win32/IRCbot.gen!T typically attempts to spread to other systems on the network when commanded to do so by the backdoor’s controller. Spreading methods may include exploiting weak passwords, exploiting vulnerabilities in unpatched systems, using instant messaging applications, utilizing the autorun feature, or peer to peer file sharing.
Exploits
Some variants attempt to exploit particular vulnerabilities in order to spread. For example, Win32/Neeris may attempt to spread by generating IP address in its local network and attempting to exploit systems unpatched against the vulnerabilities addressed in the following Microsoft Security Bulletins
Neeris may also target computers running Microsoft SQL. It attempts to log on to these computers by exploiting weak passwords. One variant was observed to utilize the following list of passwords and usernames carried in its code:
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
admin
administrador
administrat
administrateur
administrator
admins
asd
backup
bill
bitch
blank
bob
bob
brian
changeme
chris
cisco
compaq
control
data
database
databasepass
databasepassword
db1
db1234
db2
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
f*ck
george
god
guest
hell
hello
home
homeuser
hp
ian
ibm
internet
internet
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oem
oeminstall
oemuser
office
oracle
orainstall
outlook
pass
pass1234
passwd
password
password1
peter
peter
pwd
qaz
qwe
qwerty
root
sa
sam
server
sex
siemens
slut
sql
sqlpassoainstall
staff
student
sue
susan
system
teacher
technical
test
unix
user
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
zxc
Instant Messaging
Some variants may use other methods of spreading such as via instant messaging programs. For example, Win32/Slenfbot uses the following method to spread via MSN Messenger:
When the attacker orders Win32/Slenfbot to spread via MSN Messenger, they must provide the following three parameters:
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
A file name for the worm's executable inside the ZIP archive.
Removable drives
While other variants spread by copying themselves to removable drives. For example, Win32/Rimecud performs the following actions when spreading via removable drives:
The spreading component of Win32/Rimecud enumerates all drives from B: to Z: searching for fixed and removable drives.
If found the worm copies itself to the root directory of the located drive and creates an autorun.inf file to execute the copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. For example, it may create the following files:
The payload component also has the ability to spread via autorun.inf when instructed to do so. In this case, the worm copies itself to a removable drive and creates an autorun.inf to execute it, for example:
RECYCLER\autorun.exe
autorun.inf
Peer-to-Peer file sharing
Yet other variants may attempt to spread via Peer to Peer file sharing. Win32/Pushbot, for example,
may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
Directories used may include:
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\Rapigator\Share\
%ProgramFiles%\XoloX\Downloads\
%ProgramFiles%\Tesla\Files\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Swaptor\Download\
%ProgramFiles%\Overnet\incoming\
%ProgramFiles%\LimeWire\Shared\
%ProgramFiles%\appleJuice\incoming\
%ProgramFiles%\Filetopia3\Files\
%ProgramFiles%\ICQ\shared files\
%ProgramFiles%\Shareaza\Downloads\
%ProgramFiles%\BearShare\Shared\
%ProgramFiles%\eMule\Incoming\
%ProgramFiles%\Gnucleus\Downloads\
%ProgramFiles%\EDONKEY2000\incoming\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Grokster\My Grokster\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
Payload
Allows backdoor access and control
Once installed, the malware connects to an IRC server with a specified location and port. Please note that the ports and remote hosts used for this purpose are completely variable and may be different for each iteration of this threat. For example, one variant attempts to connect on port 8585 to cos.chfo991.com, while another attempts to connect on port 51987 to teamdos.org.
After connecting, the malware awaits commands from the backdoor’s controller. These commands may include (but not be limited to) the following examples:
- Download and execute arbitrary files
- Update itself
- Start or stop spreading
- Collect system information
- Run various servers on the system
- Send email or instant messages
- Participate in Distributed Denial of Service attacks
Lowers system security settings
Some variants attempt to terminate security or AV related program processes, or may attempt to modify computer security settings. The processes targeted and settings modified are highly variable. For example, one variant attempts to kill the following processes:
mrt.exe
ccenter.exe
fsav.exe
kav.exe
Kavstart.exe
KVSrvXP.exe
KvXP.kxp
msmpeng.exe
nod32.exe
Another variant disables the Task Manager by modifying the following registry entry:
Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Downloads and executes arbitrary files
Some variants may attempt to download and install additional malicious files. For example, one variant was observed attempting to contact the following remote hosts for this purpose:
- www.cooleasy.com
- www.mcreate.net
- kuwago.hp.infoseek.co.jp
- www.cship.info
Analysis by Lena Lin
