minimal-minimal

IRC/Flood.cm

IRC/Flood.cm

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2003-06-25

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5400.1158

File Length

Varies

Description Added

2003-06-25

Description Modified

2003-06-25

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

This detection is for an IRC-based package which utilises a series of legitimate applications in order to function.

The malware package is delivered to the victim machine via a self-extracting archive dropper (detected as IRC/Flood.cm.dr by the specified DATs). The filename and size of this dropper may change, but one variant received by AVERT had the following characteristics:

RMTCFG-1.EXE (3,565,056 bytes) - WinZip SFX

Installation

When the dropper is run on the victim machine, multiple files are installed to the following directory:

C:\WINNT\SYSTEM32\RMTCFG2

Other subdirectories are created within this, once the package is running (some are IRC client related):

c:\WINNT\SYSTEM32\RMTCFG2\DAT
c:\WINNT\SYSTEM32\RMTCFG2\DOWNLOAD
c:\WINNT\SYSTEM32\RMTCFG2\LOGS
c:\WINNT\SYSTEM32\RMTCFG2\PLUGIN
c:\WINNT\SYSTEM32\RMTCFG2\SOUNDS

Note: the exact directory names may well change between variants.

The following Registry key is added to hook system startup, running one of the batch scripts installed (see below):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"mdll32" = C:\WINNT\SYSTEM32\RMTCFG2\UPDATE.BAT

Numerous files are installed into these directories. It is likely that the filenames/sizes of these files will vary between versions. However, the contents will typically contain key components such as those listed below:

  • FTP.EXE - innocent FTP command line utility
  • Nobios.bat - batch script for deleting C$, ADMIN$ and IPC$ shares. Detected as IRC/Flood.cm with the specified DATs.
  • SERV-U.INI - config script for the ServU-Daemon application.
  • ServUDaemon.ini - config script for the ServU-Daemon application.
  • X-ScanCfg.ini - config script for the Tool-XScan application.
  • blah.txt - list of IP addresses with username/password combinations (created by trojan).
  • ftp.bat - batch script for creating FTP script (mass.txt) to retrieve remote data. Detected as IRC/Flood.cm with the specified DATs.
  • hidden32.exe - application used for hiding the interface of another program. Detected as application HideExec since the 4241 DATs, with application-type detections enabled. It is used for hiding the ServU-Daemon application (RMTCFG.EXE) interface.
  • hiddenrun.exe - another application used for hiding the execution of other programs. Detected as application HiddenRun in the specified DATs, with application-type detections enabled. It is used for hiding the IRC client (MDLL.EXE) interface, and to hide the execution of other batch scripts.
  • install.bat - batch script for launching other components of the package. Detected as IRC/Flood.cm with the specified DATs.
  • mdll.exe - legitimate IRC client program, detected as IRC/Client application since the 4259 DATs, with application type detections enabled.
  • mirc.ini - IRC configuration script.
  • pass.bat - batch script for creating SERVU.INI file. Detected as IRC/Flood.cm with the specified DATs.
  • pass1.bat - ditto.
  • pass2.bat - ditto.
  • pass3.bat - batch script for killing/restarting ServU-Daemon application.
  • perform.ini - IRC configuration script. Detected as IRC/Flood.cm with the specified DATs.
  • psexec.exe - application for launching processes remotely, detected as application RemoteProcessLaunch since 4252 DATs, with application-type detections enabled.
  • psk.exe - application for killing processes, detected as application PSKill since 4190 DATs, with application-type detections enabled.
  • regkeyadd.bat - batch script for merging Registry script file.
  • rmtcfg.cfg - configuration script for ServU-Daemon application.
  • rmtcfg.exe - detected as application ServU-Daemon since 4207 DATs, with application-type detections enabled.
  • script.ini - IRC configuration script. Detected as IRC/Flood.cm with the specified DATs.
  • script1.ini - IRC configuration script. Detected as IRC/Flood.cm with the specified DATs.
  • secure.bat - batch script for altering Security settings on victim machine. Detected as IRC/Flood.cm with the specified DATs.
  • secure.exe - detected as application Delshare since 4272 DATs, with application-type detections enabled.
  • setup.bat - batch script for launching IRC client (mdll.exe) via application HiddenRun. Detected as IRC/Flood.cm with the specified DATs.
  • setup.exe - detected as application Iroffer since 4207 DATs, with application-type detections enabled.
  • startup.bat - batch script for stopping various services, and launching update (via application HiddenRun -> update.bat). Detected as IRC/Flood.cm with the specified DATs.
  • update.bat - batch script for launching other malware components. Detected as IRC/Flood.cm with the specified DATs.
  • xscan.exe - Command line vulnerability scanner. Detected as application Tool-XScan since 4239 DATs, with application-type detections enabled.

Note: to enable application type detections:

  • Users running VirusScan 7 or later can enable them via the configuration option "Find potentially unwanted programs" (in the Advanced section). Screenshots for both the corporate and retail products are included in the relevant descriptions (linked to above).
  • Command line users should use the /PROGRAM switch

Remote Commands

Once running, the trojan can accept remote commands from the hacker via IRC. For example:

  • scan - use Tool-XScan to scan remote machines
  • icmp - deliver ICMP flood attach on remote machine (uses ping.exe)
  • udp - deliver UDP flood attack
  • root - attempt to install/execute dropper on remote machine (uses RemoteProcessLaunch application)

The following passwords are used by the trojan when attempting to connect to remote machines:

  • %username%
  • admin
  • root
  • 1
  • 111
  • 123
  • 1234
  • 12345
  • 123456
  • 654321
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • server
  • passwd
  • password
  • %username%123
  • %username%!@#$
  • shit
  • fuck
  • password
  • passw0rd
  • letmein

Application Tool-XScan is used to retrieve possible usernames to use with the above passwords (the same username is used in the %username% variable in the password list).

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

The package is installed via a SFX dropper. It consists of multiple components, some of which are legitimate applications. It is IRC-based, joining a channel to accept remote comands from the hacker.

  • Existence of files/Registry key detailed above
  • Unexpected traffic to remote server (destination port 6667 - IRC)