Backdoor:Win32/IRCbot.gen!O is a generic detection for a trojan that allows unauthorized access and control of an affected machine by a remote attacker using IRC. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from an attacker. This particular detection may trigger on variants of several different IRC bot families, including
Win32/Pushbot and
Win32/Synigh.
While the specific behaviors of malware reported by this detection may vary from one instance to the next, we provide the following details as an example of malware that may be detected with this name.
Installation
When executed, Backdoor:Win32/IRCbot.gen!O may create a copy of itself in the <system folder> or the <system folder>\drivers directory, with a variable file name, for example;
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It may then make a number of registry modifications for its own use (continuing our previous example):
Sets value: ".ZAC."
With data: "<system folder>\drivers\delsrv.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Sets value: ".ZAN."
With data: "<time and date of installation>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Spreads Via…
Logical and Removable Drives
Some variants of Backdoor:Win32/IRCbot.gen!O may attempt to spread to logical or removable drives. They place themselves in the \RECYCLER folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
Our example variant created the following files when attempting to spread in this manner:
<Targeted Drive>:\recycler\s-53-6-22-3434476501-1644491937-600003330-1213\delserv.exe (a copy of itself)
<Targeted Drive>:\recycler\s-53-6-22-3434476501-1644491937-600003330-1213\desktop.ini
<Targeted Drive>:\autorun.inf
Exploit/Network Shares
Upon receiving IRC commands via the backdoor (see Payload section below for additional detail) Backdoor:Win32/IRCbot.gen!O can spread to remote computers by exploiting one or more Windows vulnerabilities, for example
MS04-011 or
MS08-067.
Backdoor:Win32/IRCbot.gen!O may also spread via network shares by attempting to access the following shares:
d$\windows\system32c$\
d$\winnt\system32
c$\windows\system32
c$\winnt\system32
Admin$\system32
Admin$
Ipc$
using a list of predefined weak passwords (for example):
server
asdfgh
password
access
pass1234
administrador
654321
123456
12345
admin
administrator
Payload
Modifies System Security Settings
Backdoor:Win32/IRCbot.gen!O may attempt to lower security settings on an affected machine by making a number of modifications to the registry, for example:
Sets value: "SFCDisable"
With data: "4294967197"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "WaitToKillServiceTimeout"
With data: "7000"
To subkey HKLM\SYSTEM\CurrentControlSet\Control
Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "UpdatesDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Sets value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
Sets value: "AUOptions"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Sets value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Sets value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Sets value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Sets value: "restrictanonymous"
With data: "1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Sets value: "AutoShareWks"
With data: "1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Sets value: "AutoShareWks"
With data: "1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
Sets value: "DoNotAllowXPSP2"
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Sets value: "EnableDCOM"
With data: "n"
To subkey: HKLM\Software\Microsoft\OLE
Sets value: "DontReportInfectionInformation"
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Backdoor Functionality
Backdoor:Win32/IRCbot.gen!O allows unauthorized access and control of an affected machine. In the wild, our example variant contacted the following IRC servers in order to receive instruction from a remote attacker:
www.KUTLUFAMILY.COM
www.BALDMANPOWER.ORG
Backdoor commands can include actions such as:
Scanning for unpatched computers on the network
Scanning files on the systems and check certain DLLs are loaded
Scanning ports on the network.
Downloading and executing remote files.
Monitoring network traffic.
Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, network connection information, and IE start page configuration.
Retrieving CD keys of games.
Uploading/downloading files through FTP.
Manipulating processes and services.
Conducting denial of service (DoS) attacks.
Additional Information
Backdoor:Win32/IRCbot.gen!O may contact additional remote hosts. For example, one variant was observed in the wild contacting the following domains:
Analysis by Lena Lin