Backdoor:Win32/IRCbot.gen!X

Backdoor:Win32/IRCBot.gen!X is a backdoor that connects to an Internet Relay Chat (IRC) server and allows backdoor access and control to the affected computer.

Installation

Backdoor:Win32/IRCBot.gen!X drops and executes a copy of itself to the following with 'read-only' and 'hidden' attributes:

• %APPDATA%\divxweb.exe
• %APPDATA%\hidserv.exe 
• %APPDATA%\livemsngs.exe
• %APPDATA%\msnliveq.exe 
• %APPDATA%\scheb.exe
• %APPDATA%\svchots.exe
• %Temp%\service.exe

It modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Live Messenger Essentials"
With data: %APPDATA%\LIVEMSNGS.EXE

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Live Messenger Essentials"
With data: %APPDATA%\LIVEMSNGS.EXE

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "Windows Live Messenger Essentials"
With data: %APPDATA%\LIVEMSNGS.EXE

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Services"
With data: service.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update"
With data: %Temp%\service.exe

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Lives Essentials"
With data: %APPDATA%\msnrnmsgr.exe

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Lives Essentials"
With data: %APPDATA%\msnrnmsgr.exe
 
In the wild, we have observed some variants of this backdoor exhibiting worm-like capabilities, such as copying itself to removable drives as any of the following:

• divxweb.exe
• hidserv.exe
• livemsngs.exe
• msnliveq.exe
• scheb.exe
• svchots.exe
• service.exe

Payload

Allows backdoor access and control

Backdoor:Win32/IRCBot.gen!X connects to the following IRC servers, joins a channel and waits for commands:

• minerva.cdmon.org
• cash.hi5fotos.info
• biz.hoodrich.ru
• goim.hoodrich.ru
• o2.selfip.biz
• team.nerashti.net
• team.radiozeri.de
• 61.31.99.67

Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, it may:

• Download and execute files
• Terminate security process
• Write to the clipboard
• Flood target computers or networks using TCP and UDP
• Send messages through IRC instant messenger programs

Connects to IRC chat rooms

The malware attempts to connect to the following IRC chat rooms in order to update the bot controllers on the status of infection, and to send information it gathers about the infected computer. In the wild, we have observed the backdoor connecting to the following chat rooms:

• ##spam##
• #bin#
• #bizlips#
• #cash#
• #im#
• #ganja
• #lamer#
• #newbiz#
• #o3
• #otest
• abc

Modifies system settings

Backdoor:Win32/IRCBot.gen!X monitors the firewall alert notifications; it will not display windows containing the following titles:

• Windows Security Alert
• BitDefender Firewall Alert

Terminates security processes

The malware terminates the following security processes, should they be found running on the affected computer:

• avp.exe
• ccsvchst.exe
• kaspersky.exe
• mcafee.exe
• norton.exe

If a security process is terminated, details of this are reported back to the IRC channel to which it's connected.

Modifies Hosts file

Backdoor:Win32/IRCBot.gen!X modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

In the wild, we have observed the backdoor blocking access to the following security-related websites:

• avp.com
• bitdefender.com
• ca.com
• customer.symantec.com
• dispatch.mcafee.com
• download.mcafee.com
• f-secure.com
• grisoft.com
• hotmail.com
• kaspersky-labs.com
• kaspersky.com
• liveupdate.symantec.com
• liveupdate.symantecliveupdate.com
• macafee.com
• mast.mcafee.com
• mcafee.com
• microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• nod32.com
• norton.com
• pandasoftware.com
• rads.mcafee.com
• scanner.novirusthanks.org
• secure.nai.com
• securityresponse.symantec.com
• sophos.com
• symantec.com
• threatexpert.com
• trendmicro.com
• update.symantec.com
• us.mcafee.com
• virscan.org
• viruslist.com
• virusscan.jotti.org
• virustotal.com

Sends instant messages

The backdoor has been observed sending the following messages containing malicious URLs in instant message programs and chat rooms:

Have you seen this? lol! <url>
olhar para esta lol! <url>
spojrzec na lol! <url>
se po dette lol! <url>
nuzd meg a lol! <url>
ser po dette lol! <url>
podYvejte se na mou lol! <url>
guardare quest lol! <url>
You know someone tried to kill obama today!? <url>
bekijk deze lol! <url>
mira esta lol! <url>
schau mal das lol! <url>
regardez cette lol! <url>

Salut, de belles photos de vous ! <url>
wow, echt geile fotos von dir ! <url>
Hola, buenas fotos de ustedes ! <url>
Hoi, mooie foto's van je ! <url>
Hoi, mooie foto's van je ! <url>
ciao, vedi questa foto
Hej, gode billeder af dig ! <url>
Hei, fine bilder av deg ! <url>
witam, jest to zdjecie ? <url>
merhaba, bu senin fotograf ! <url>
Buna, fotografii frumos din partea ta ! <url>
Hej, fina bilder av dig ! <url>
Zivjo, lepo vas fotografije ! <url>
haha, wow facebook photos?? <url>

Additional information

The backdoor may also perform an internet speed test on the infected computer by checking how long it takes for the application to download the following file:

speedtestfile.com/10mb.bin 

Analysis by Zarestel Ferrer