McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

IRC/Backdoor.f

This page shows details and results of our analysis on the malware IRC/Backdoor.f

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 2003-01-15

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4244 (2003-01-22)

Updated DAT

4516 (2005-06-17)

 Minimum Engine

5.1.00

File Length

99

Description Added

2003-01-15

Description Modified

2003-01-15

Malware Proliferation

Characteristics

This is a backdoor trojan for mIRC, that allows an attacker to execute any mIRC commands on the victim machine.

It opens port 33 UDP and listens for incoming commands. Every command is executed immediately.

The trojan requires the IRC chatprogram mIRC to be installed.

Symptoms

Port 33 UDP listening

Method of Infection

The trojan resides in the SCRIPT.INI within the mIRC folder. Upon start of mIRC the script is loaded and opens port 33 UDP.

The trojan does not spread on its own nor does it add, change, or delete any Registry keys.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

United States - English