BKDR_IRCBOT.GIW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

• %User Temp%\9879898798798jlk.ini
• %User Temp%\damipugifoc.wul
• %User Temp%\gagiyapesay.dll
• %User Temp%\jajihakevan.dll
• %User Temp%\muqizeroqako.dll
• %User Temp%\ns{random string}.tmp\System.dll
• %User Temp%\Temuxucemoj.exe
• %User Temp%\Xupijanokof.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\{23F24C31-568D-461D-B5CA-13393D19909A}\hdg.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{23F24C31-568D-461D-B5CA-13393D19909A}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• evil1loldild0s

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windongs = "%Application Data%\{23F24C31-568D-461D-B5CA-13393D19909A}\hdg.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{23F24C31-568D-461D-B5CA-13393D19909A} = "%Application Data%\{23F24C31-568D-461D-B5CA-13393D19909A}\hdg.exe"

Backdoor Routine

This backdoor connects to any of the following IRC server(s):

• epic.{BLOCKED}s.xxx
• irc1.{BLOCKED}-wow.com

It joins any of the following IRC channel(s):

• #test5

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• (DOWNLOAD) - Downloads and execute arbitrary file
• (EXEC) - Executes command
• (GET) - Sends GET floods
• (HELP) - Print Commands
• (OPENURL) - Opens a URL using a hidden browser
• (POST) - Sends POST floods
• (QUIT) - Terminate itself
• (SHELL EXEC) - Executes shell command
• (SPEEDTEST) - check connection speed (rolotech-electronics.comuf.com, speedtest1.hivelocity.net, 68.11.12.242)
• (STOP EXEC) - Stops a thread
• (STOP GET) - Stops GET floods
• (STOP SPEEDTEST) - Stops speedtest
• (STOP SYN) - Stops a SYN Flood
• (STOP UDP) - Stops UDP Flooding
• (SYN) - Sends a SYN Flood
• (UDP) - Starts UDP Flooding
• (VERSION) - Print Version

Other Details

This backdoor uses the following credentials when accessing its IRC server:

• USERNAME: zwin-{random}
• PASSWORD: Op Dildos / dildos

NOTES:
It connects to the following sites to perform a speed test:

• http://speedtest1.{BLOCKED}city.net/speedtest/upload.php?x={random value}
• http://{BLOCKED}.12.242/speedtest/upload.php?x={random number}
• http://{BLOCKED}ch-electronics.comuf.com/speedtest/upload.php?x={random number}