BKDR_IRCBOT.AUSED

 Analysis by: John Kevin Sanchez

 ALIASES:

Backdoor.Win32.Ircbot.gen (v) (VIPRE), Backdoor.Win32.Ircbot.gen (v) (AVware)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It modifies registry entries to disable the Windows Firewall settings. This action allows this malware to perform its routines without being deteted by the Windows Firewall.

  TECHNICAL DETAILS

File Size:

1,675,264 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

26 Apr 2018

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

  • %Temp%\{random filename}.exe

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It adds the following processes:

  • explorer.exe

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

Autostart Technique

This Backdoor creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
mcafee = "%Temp%\{random filename}.exe"

The scheduled task executes the malware every:

  • At log on of any user

Other System Modifications

This Backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{random}.exe

HKEY_CURRENT_USER\Software\Win7zip

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{random}.exe
Debugger = {random}.exe

It modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\PublicProfile
EnableFirewall = 0

Other Details

This Backdoor connects to the following possibly malicious URL:

  • www.{BLOCKED}nd.com

It adds the following scheduled tasks:

  • Windows Update Check - 0x{hex}