McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

IRC-Demfire

This page shows details and results of our analysis on the malware IRC-Demfire

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 2003-02-07

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4247 (2003-02-12)

Updated DAT

4406 (2004-11-10)

 Minimum Engine

5.1.00

File Length

various

Description Added

2003-02-12

Description Modified

2003-04-30

Malware Proliferation

Characteristics

This detection is for an IRC-based remote access trojan. It consists of multiple components, some of which are legitimate applications.

The trojan exploits an old vulnerability in Microsoft IIS in order to install itself on vulnerable machines. See 'Web Server Folder Traversal' Vulnerability - MS00-078 for more details and the relevant patch.

Once running on the victim machine, the backdoor joins an IRC channel (as defined within the IRC config files, included in the package), in order to await commands from the hacker. These commands enable the hacker to perform various functions on the vicim machine, for example:

  • collect machine information (e.g. memory, disk space, processor...)
  • upload/download files to/from machine
  • execute files on machine
  • perform port scanning

Furthermore, there is a denial of service (DoS) payload associated with this trojan as well. The IRC configuration scripts contain instructions to repeatedly hit specific web sites. This DoS payload is performed within a specified date range (on Sun Nov 10th 2002, between 12:00:00 and 12:01:40 inclusive), or upon restarting the backdoor for the 'n'th time (n=11 for the samples received thus far, but this would be trivial to modify).

Symptoms

  • existence of the files/directories described in the 'Methods of Infection' section
  • outgoing traffic to an IRC server (destination port 6667)

Method of Infection

The trojan package is likely to arrive in the form of a self-extracting executable. When run this package drops a large number of files. The target directory may vary, but samples received thus far have used the following:

C:\PROGRA~1\MICROSOFT\UPDATE\DLL\TK
C:\WINNT\SYSTEM32\SHELLEXT\SYSTEM\TK

Of the files written to the victim machine, the following are likely to be present: (NB. filenames may vary)

  • RUNDLL.EXE (573,440 bytes) - a legitimate and popular FTP server application - detected as ServU-Daemon application (with /PROGRAM) described here.
  • MSTASKMGR.EXE or SVCHOST.EXE (601,600 bytes) - this is a modified IRC client application, which when coupled with the configuration scripts forms the basis of the backdoor. This is detected as IRC-Demfire.mirc with the indicated DATs.
  • FIREDAEMON.EXE (81,920 bytes) - a legitimate utility which enables applications to be installed and executed as services on NT/2k/XP machines. This component is detected as application FireDaemon (with the /PROGRAM switch). This utility is used to install/run the above two applications as services.

    [FireDaemon installing Rundll and svchost services]

    The following two entries are visible in the service list after installation:

    1. Name = FireDaemon Service: Rundll, Description = blank
    2. Name = FireDaemon Service: scvhost, Description = blank

  • TASK.CNF (~18-32 Kbytes) - this is the mIRC script that defines the trojan functionality. This is detected as IRC-Demfire with the indicated DATs.
  • TK00.TMP (~2577-2594 bytes) - this is another IRC configuration file, and is detected as IRC-Demfire with the indicated DATs.
  • START.BAT or SCV.BAT (~2711-2800 bytes) - this batch file drives the installation of the package, for example:
    1. install the services (using FIREDAEMON.EXE application)
    2. delete all scripts in C:\INETPUB\SCRIPTS (using the renamed DELTREE.EXE). A new SCRIPTS directory is then created.
    3. pipe output of various system utilities into specific directory
    This component is detected as IRC-Demfire.bat with the indicated DATs.
  • D.EXE (19,083 bytes) - the legitimate system utility DELTREE.EXE renamed. This is used by the batch file described above. This is not detected.
  • SERVUCERT.CRT & SERVUCERT.KEY (973 & 963 bytes respectively) - innocent encryption-related files related to the ServU-Daemon application. These are not detected.
  • SERVUDAEMON.INI (2,315 bytes) - INI file for ServU-Daemon application. This is not detected.
  • WAIT.COM (5,239 bytes) - this is the system utility CHOICE.COM renamed. This file is not detected.
  • FPORT.EXE (114,688 bytes) - this is an application for mapping ports to processes - a useful tool for querying unknown ports. This is not detected. It is used in this trojan package to derive information from the victim system - the output is redirected to a text file for the hacker to access.

Removal

All Users:

Firstly stop the following two services:

  1. FireDaemon Service: Rundll
  2. FireDaemon Service: svchost

Then use the specified engine and DAT files for detection. Since the location of the files may vary, and certain innocent files included in the package are not detected by the scanner, inspection of the batch file (detected as IRC-Demfire.bat) may be the simplest way to remove this trojan package.

Additional Windows ME/XP removal considerations

Variants

United States - English