It does this by deleting the following registry keys: HKLM\System\CurrentControlSet\Control\SafeBoot HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal HKLM\System\CurrentControlSet\Control\SafeBoot\Network Injects code In order to hinder detection and removal, Backdoor:Win32/IRCbot.gen!Y injects its code into the "winlogon.exe" process. Upon execution the Trojan tires to connect the below URL though remote port 4042 xsi.hi5f[Removed]os.info 22.21. [Removed].65 229.51. [Removed].87 87.255. [Removed].229 this-domain[Removed]-by.abuse.ch Upon execution the Trojans copy itself to the below Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location. %Temp%\cetrnaest.exe Also It drops the following files. [Removable Drive]:\[USERNAME]-35FC12\[USERNAME]-35FC12\Desktop.ini This Trojan also attempts to create an autorun.inf file on the root of An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/IRCbot.gen!AA.
Have your PC fixed remotely - while you watch! $89.95 Free Security Newsletter Sign Up for Security News and Special Offers: Indications of Infection: Risk Assessment: Payload Allows backdoor access and control Backdoor:Win32/IRCbot.gen!AA allows unauthorized access and control of your computer. You can help Wikipedia by expanding it. Aliases – Microsoft - Worm:win32/dorkbot.a ESET-NOD32 - Win32/Injector.AFCG Drweb - BackDoor.IRC.ngrBot.42 AVP - Backdoor.Win32.Ruskill.ruv Characteristics – “W32/IRCbot.gen.a ” is detection for a worm that spreads over USB devices using Autorun functionality. https://www.symantec.com/security_response/writeup.jsp?docid=2002-071518-2036-99
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. What to do now To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It is a member of the Backdoor:Win32/IRCbot family of bots. What to do now To detect and remove this threat and other malicious software that may be installed on your Get Expert Help McAfeeVirus Removal Service Connect to one of our Security Experts by phone. Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
The trojan drops a file into the following path: %Temp%\351.exe The Trojan downloads the following file from digital[removed].cn site. %Temp%\Temporary Internet Files\Content.IE5\KHCN216V\kimber.exe These are general defaults for typical path variables. (Although Ensure that all available network shares are scanned with an up-to-date antivirus product. HKey_Users\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Mobile Device Service: "%APPDATA%\J-93219-1923-12901\mobile32.exe" The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon system boot The Trojan creates Mutex in the following name: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=252087 Please see the figure below demonstrating a similar scenario: After infection: The following registry key values have been added to the system HKEY_USERS\S-1-5-21-[Varies]39522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Dbhbuzxlhtqpykvh.exe: ""%UserProfile%\Application Data\Dbhbuzxlhtqpykvh.exe"" The above mentioned registry ensures
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. voc !! Related encyclopedia entries Backdoor:Win32/IRCbot Analysis by Patrik Vicol Prevention Take these steps to help prevent infection on your computer. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".
On windows XP: Insert the Windows XP CD into the CD-ROM drive and restart the computer.When the "Welcome to Setup" screen appears, press R to start the Recovery Console.Select the Windows check this link right here now All Users: Please use the following instructions for all supported versions of Windows to remove threats and other potential risks: 1.Disable System Restore . 2.Update to current engine and DAT files Note:
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Installation Depending on the variant, Backdoor:Win32/IRCbot.gen!Y copies itself with file names that resemble legitimate programs and services, possibly in an effort to hinder detection and removal, such as the following: %APPDATA%\ctfmon.exe %TEMP% \ This could include, but is not limited to, the following actions: Download and execute arbitrary files Upload files Spread to other computers using various methods of propagation Log keystrokes or steal When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically. [autorun] open=OGa\RD\GOx.exe ;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌÔ‘ ;Fuck U Motha Fucka I Could have been
For more information on returning an infected computer to its pre-infected state, please see the following articles: Resetting your computer's security settings to default Stopping and starting Windows services: For Windows 7For Trojans do not self-replicate. Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete. It then hides all folders in the removable drives, in an attempt to trick you into clicking on its copy rather than on the folder in your drive.
Analysis by Vincent Tiu Prevention Take these steps to help prevent infection on your computer. Top Threat behavior Installation Backdoor:Win32/IRCbot.gen!AA uses the file name "%AppData%\winsvrn32.exe". Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location %Temp%\trinaest.exe And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun
It also places an
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Spreads via... Spreads via... It is a member of the Backdoor:Win32/IRCbot family of backdoor trojans.
Back to Top View Virus Characteristics Virus Characteristics “W32/IRCbot!lnk” is a link file which is dropped by the file “hYStyP.exe” [Detected as W32/IRCbot.gen.cr]. Presence of the registry key(s) above mentioned. Itconnects and downloads filesfrom the IP address 84.[removed].44 using 44504 remote port Trojans do not self-replicate. Unlike viruses, trojans do not self-replicate.
Because of a lack of standard naming conventions and also because of common features, variants of Win32.IRCBot can often be confused with the Agobot and Spybot family of worms. Backdoor:Win32/IRCbot.gen!Z modifies the following registry entry to ensure that its copy runs at each Windows start: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "
They are spread manually, often under the premise that they are beneficial or wanted. In the wild, we have observed the following modifications to the registry: In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "Windows Defender"With data: "%system%\windefend.exe" Sets value: "Windows Defense Service"With data: "%system%\windefend.exe" Sets value: Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969. %SystemDrive%\WINDOWS\dllmgr.exe Also It drops the following files. %SystemDrive%\OGa\RD\DesKTop.ini %SystemDrive%\OGa\RD\GOx.exe This
The following Microsoft products detect and remove this threat: Microsoft Security Essentials Microsoft Safety Scanner Additional remediation instructions for
An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another. Methods of Infection This worm may be spread by its intented method of infected removable drives. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.
They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.