BKDR_IRCBOT.INC
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.
TECHNICAL DETAILS
Installation
This backdoor drops the following copies of itself into the affected system:
- %WINDOWS%\system\dllcache.exe
It drops the following files:
- %system%\drivers\sysdrv32.sys
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
netmon = %WINDOWS%\system\dllcache.exe
Backdoor Routine
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.