Threat behavior
Backdoor:Win32/IRCbot.gen!U is a generic detection for a trojan that allows unauthorized access and control of an affected machine by a remote attacker using IRC. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from an attacker. This particular detection may trigger on variants of several different IRC bot families, including
Win32/Pushbot and
Win32/Synigh.
The trojan is created using a utility that can configure certain properties of the malware such as the following:
file name of the installed copy
ports for use by a remote attacker
remote server names to attempt connections with and so on
payload actions which may include any of the following actions:
Download and execute a file
Perform a DDoS attack
Spread using "autorun.inf" Autorun configuration files
Some have the ability to spread over MSN and AIM messengers
Transfer files
Steal passwords
Visit a specified website (possibly for click fraud)
Installation
When run, the trojan creates of copy of itself locally and modifies the registry to run the copy at each Windows start. The following is one example of a registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSN"
To data: "%windir%\kysvr.exe"
Spreads Via…
Logical and Removable Drives
Some variants of Backdoor:Win32/IRCbot.gen!U may attempt to spread to logical or removable drives. They place themselves in the \RECYCLER folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
One example variant created the following files when attempting to spread in this manner:
Payload
Backdoor functionality
Backdoor:Win32/IRCbot.gen!U allows unauthorized access and control of an affected machine. In the wild, one example variant contacted the IRC server "irc.wotnet.com" in order to receive instruction from a remote attacker.
Backdoor commands can include actions such as:
Scanning for un-patched computers on the network
Scanning files on the systems and check certain DLLs are loaded
Scanning ports on the network.
Downloading and executing remote files.
Monitoring network traffic.
Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, network connection information, and IE start page configuration.
Retrieving CD keys of games.
Uploading/downloading files through FTP.
Manipulating processes and services.
Conducting denial of service (DoS) attacks.
Additional Information
The malware will refuse to run in various sandboxes or if analysis tools like Wireshark or Process Monitor are used.
Analysis by Chris Stubbs
Prevention
