BKDR_IRCBOT.INC

 Analysis by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

  TECHNICAL DETAILS

File Size:

81,920 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

24 May 2011

Installation

This backdoor drops the following copies of itself into the affected system:

  • %WINDOWS%\system\dllcache.exe

It drops the following files:

  • %system%\drivers\sysdrv32.sys

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
netmon = %WINDOWS%\system\dllcache.exe

Backdoor Routine

This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.