BKDR_IRCBOT.BTG

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Windows%\system\msentale.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
ImagePath = "%Windows%\system\msentale.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
DisplayName = "Microsoft Security"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security
Description = "Microsoft Security"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Security

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\system\msentale.exe = "%Windows%\system\msentale.exe:*:Enabled:Microsoft Enabled"