McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

IRC/Flood.bt

This page shows details and results of our analysis on the malware IRC/Flood.bt

Threat Detail

Malware Type: -

Malware Sub-type: N/A

Discovery Date: 2003-04-10

Next Steps:

Overview


Minimum DAT

4258 (2003-04-16)

Updated DAT

4333 (2004-03-03)

 Minimum Engine

5.1.00

File Length

Varies

Description Added

2003-05-28

Description Modified

2003-05-30

Malware Proliferation

Characteristics

This description is intended as a general guide. There are several variants of this trojan, and the specific actions taken are decided by the hacker creates the dropper file or uses the trojan.

This is an Internet Relay Chat BOT/DDoS tool. It is dropped by a self-extracting archive which generally includes a copy of the mIRC client within itself. This allows users who do not run mIRC to become used in a DDoS attack.

This trojan may be downloaded by a downloader trojan such as Downloader-AE

When run, the dropper extracts several files to a directory (for example, a variant used in testing copied to the System directory, but it is common for the dropper to create its own new directory, often a subfolder within the System Directory). The extracted files are in the following categories:

  • IRC script instruction for various trojan activities.
  • mIRC configuration file.
  • Batch file to perform remote login, remote launches.
  • mIRC executable for remote connection and remote access.
  • RemoteProcessLaunch application to launch EXEs.
  • Other applications used to glean system information (for example, to get names of running processes and redirecting console output).

    Infected machines should be carefully examined, since IRC/Flood droppers are often repackaged with new files, so it is possible that an attacker has installed further hacktools or backdoors.

    If mIRC is already installed on a system, registry entries pointing to the installed product may be redirected to the version dropped by the trojan.

    • Symptoms

  • Existence of the files detailed above
  • Unexpected network traffic

    • Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.

    Variants

    United States - English