McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/IRCbot.gen.ac

This page shows details and results of our analysis on the malware W32/IRCbot.gen.ac

Threat Detail

Malware Type: Trojan

Malware Sub-type: Generic

Discovery Date: 2009-08-25

Next Steps:

Overview

W32/IRCbot.gen.ac is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another.


Minimum DAT

5720 (2009-08-25)

Updated DAT

5764 (2009-10-07)

 Minimum Engine

5.2.00

File Length

N/A

 Description Added

2009-08-25

Description Modified

2009-10-27

Malware Proliferation

Characteristics

W32/IRCbot.gen.ac copies itself to the following folder:

  • %Windir%\System\svhost.exe

(where %WinDir is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

It will attempt communication with a remote IRC server using the following credentials:

  • PASS h4xg4ng
  • NICK [00-US-XP-6843614]
  • USER  SP3-kxi * 0 :, followed by the name of the infected computer.

Attempts to connect to the following domain:

  • hxxp://66.90[removed]

During testing the following registry entries were added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • "ctfmon" = C:\WINDOWS\system\svhost.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • "C:\WINDOWS\system\svhost.exe" = C:\WINDOWS\system\svhost.exe:*:Enabled:svhost
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • "C:\WINDOWS\system\svhost.exe" = C:\WINDOWS\system\svhost.exe:*:Enabled:svhost

Symptoms

Presence of the above mentioned files in the %WINDIR%\System folder and relevant registry changes may indicate infection.

Method of Infection

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

United States - English