Trojan:Win32/IRCFlood.I is a trojan that installs a mIRC client that allows limited remote access and control.
Installation
Trojan:Win32/IRCFlood.I may be downloaded or installed by other malware such as
TrojanDropper:MSIL/IRCFlood.A and may be present as the following:
%temp%\crypted.exe
One observed distribution of Trojan:Win32/IRCFlood.I is the following server location:
168.215.196.57/<edited>/postcard.gif.exe
Sets value: "Application"
With data: "%windir%\temp\cookies\taskmgr.exe"
In subkey: HKLM\SYSTEM\ControlSet001\Services\taskmgr\Parameters
Sets value: "(default)"
With data: "1893-124286"
In subkey: HKCU\Software\mIRC\License
Sets value: "(default)"
with data: "0,4096"
In subkey: HKCU\Software\mIRC\LockOptions
Sets value: "(default)"
with data: "mirc32"
In subkey: HKCU\Software\mIRC\UserName
Sets value: "taskmgr"
with data: "%windir%\temp\cookies\taskmgr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Floods servers
Trojan:Win32/IRCFlood.I leverages the mIRC program and configuration scripts to broadcast a "flood" of messages to remote servers specified in the following data file:
The message sent is specified within the following data file:
Allows limited backdoor access and control
When run, Trojan:Win32/IRCFlood.I drops an Internet chat client named "mIRC" and other configuration data files as the following:
%windir%\temp\cookies\taskmgr.exe - mIRC Internet chat application
%windir%\temp\cookies\wave.bat - batch script
%windir%\temp\cookies\hood.reg - registry import data file
%windir%\temp\cookies\aliases.ini - configuration data file
%windir%\temp\cookies\control.ini - configuration data file
%windir%\temp\cookies\mirc.ini - configuration data file
%windir%\temp\cookies\servers.ini - configuration data file
%windir%\temp\cookies\users.ini - configuration data file
%windir%\temp\cookies\ident.txt - configuration data file
%windir%\temp\cookies\fullname.txt - configuration data file
%windir%\temp\cookies\star.mrc - configuration data file
%windir%\temp\cookies\twilight.mrc - configuration data file
%windir%\temp\cookies\away.txt - configuration data file
%windir%\temp\cookies\oups.ico - data file
%windir%\temp\cookies\sweet.jpg - graphic image
Trojan:Win32/IRCFlood.I launches the dropped batch file "wave.bat" which modifies following registry entries, launches the dropped exe file "taskmgr.exe" and opens the dropped picture "sweet.jpg".
When the installed mIRC client runs, it displays the following graphic:
Analysis by Shawn Wang
