Backdoor:Win32/IRCbot.FE

Backdoor:Win32/IRCbot.FE is a worm that spreads via removable drives. It connects to a remote IRC server, where it may receive and execute commands from a remote attacker, including updating itself, and participating in Distributed Denial of Service attacks.

Installation

When executed, Backdoor:Win32/IRCbot.FE copies itself with 'hidden', 'system' and 'read-only' attributes to c:\system\microsoft software installer\msi.exe.

The malware modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\windows\currentversion\run
Sets value:"Microsoft Software Installer"
With data: "c:\system\microsoft software installer\msi.exe"

It then launches the new copy.

It uses mutexes such as “msi-p1” and “msi-p2” to ensure that no more than one copy runs at any time.

Spreads via…

Removable drives
Every 30 seconds, the malware checks whether a removable drive has been attached to the computer. If so, it copies itself to the root folder of the drive, with a file name of msi.com. It also creates an autorun.inf file in the same location in an attempt to ensure that the malware is run when the removable drive is attached to another computer and Autorun is enabled.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

Payload

Allows backdoor access and control
Backdoor:Win32/IRCbot.FE attempts to connect to an IRC server via TCP port 6667, join a channel and wait for commands.

IRC servers used may include the following:

• gen.mooo.com
• nl.chickenkiller.com
• evo.crabdance.com

Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

• Update itself
• Stop running
• Participate in UDP based Distributed Denial of Service (DDoS) attacks
• Visit websites
• Execute specified commands using a command prompt
• Send information such as the locale of the system, and the local time
• Disconnect from the server, and reconnect again

Analysis by David Wood