ELF_EMECH.SM

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor connects to any of the following IRC server(s):

• {BLOCKED}.{BLOCKED}.182.255
• {BLOCKED}.{BLOCKED}.182.1
• {BLOCKED}.{BLOCKED}.74.10
• {BLOCKED}.{BLOCKED}.175.201
• {BLOCKED}.{BLOCKED}.91.146
• {BLOCKED}.{BLOCKED}.201.28

It joins any of the following IRC channel(s):

• #netsplit

It executes the following commands from a remote malicious user:

• cmd - send command to linked bots
• nick - change nickname
• join - join a channel
• invite - invite user to a channel
• ping - send ping
• ctcp - send ctcp request to user
• privmsg - send private message
• away - set the bot away
• kick - kick a user
• ban - ban a user
• banlist - show banlist
• chaccess - change the level to do a command
• deop - deop a user matching the given mask on a channel
• die - kill the bot
• do - send raw commands
• debug - debug information to a file
• cycle - quickly part and rejoin a channel
• del - delete user from bots userlist