Search
Keyword: IRC_Generic
This backdoor connects to specific IRC server and joins a particular IRC channel. It is capable of receiving and executing specific commands from the IRC server. This backdoor arrives on a system as
\ChatFile\Shell\ open\ddeexec\ifexec HKEY_CLASSES_ROOT\ChatFile\Shell\ open\ddeexec\Topic HKEY_LOCAL_MACHINE\Software\Classes\ irc HKEY_LOCAL_MACHINE\Software\Classes\ irc\DefaultIcon HKEY_LOCAL_MACHINE
Backdoor does the following: perform DDOS flooding and using XMAS packets. Uses the IRC nickname with the following format: [NU|LNX|{composed of either F,T,H or U}]{random digit} Register itself in
\Microsoft\ Windows\CurrentVersion\Run Divx = "divwinx.exe" Backdoor Routine This Backdoor connects to any of the following IRC server(s): Irc.{BLOCKED}et.org pro.{BLOCKED}r.net It accesses a remote Internet
Upon execution, this backdoor connects to the Internet Relay Chat (IRC) server irc.2ch.net , where it joins the channel ##ReVoLuTiOn## . It opens the port TCP 6667 where it listens for remote
vexaa.{BLOCKED}th.cx It joins any of the following IRC channel(s): #kleber #kaiten #kromex #dlink #dlink_key Download Routine This backdoor downloads updated copies of itself from the following websites:
!killall - Terminate all Perl processes !reset - Reconnect to IRC server !jo - Join a channel !part - Leave a channel !nick - Change nickname !pid - Send fake process name and process ID ! - Execute a shell
This malware is an IRC (Internet Relay Chat) bot that leverages the Bash bug vulnerability, also known as Shellshock. To get a one-glance comprehensive view of the behavior of this Backdoor, refer to
following mutexes to ensure that only one of its copies runs at any one time: 0ze2thz285hezj1hG42 Backdoor Routine This worm connects to any of the following IRC server(s): {BLOCKED}n.{BLOCKED}eople.net It
joins any of the following IRC channel(s): #xwar It executes the following command(s) from a remote malicious user: create random nickname for itself terminate/kill IRC application Logout Get IRC version
following information on the reference to the components and their corresponding random filenames in the system, IRC data, FTP hosts (upload sites) and infection logs. Arrival Details This malware arrives via
This worm arrives via removable drives. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites. It
when irc is idle %Windows%\Temp\Cookies\control.ini %Windows%\Temp\Cookies\fullname.txt - list of possible fullnames to be used in connect dialog %Windows%\Temp\Cookies\grup - used to create a random
execute arbitrary files Perform Denial of Service attack (SYN flood) Join other IRC channel Uninstall itself Download Routine This worm saves the files it downloads using the following names: %Application
server Get spoofed source addresses Set spoofed address subnet mask Disable client Enable client Terminate client Download file Stop all attacks Send raw IRC command Start remote shell NOTES: This backdoor
unknowingly by users when visiting malicious sites. Backdoor Routine This Backdoor opens the following ports: 2275 It connects to any of the following IRC server(s): {BLOCKED}.{BLOCKED}.216.2 It joins any of
Denial of Service attack (SYN flood) Join other IRC channel Uninstall itself Download Routine This worm saves the files it downloads using the following names: %Application Data%\msnsvconfig.txt (Note:
following IRC channel(s): irc.{BLOCKED}-newbie.org:6667 It joins any of the following Internet Relay Chat (IRC) channels: #xrt It accesses a remote Internet Relay Chat (IRC) server where it receives the
as> - Downloads a file off the web and saves it onto the hd VERSION - Requests version of client KILLALL - Kills all current packeting HELP - Displays this IRC <command> - Sends this command to
Simultaneous IGMP, ICMP, UDP and TCP flooding on open ports with statistic report IRC Control: join → join a specified channel part → leave a specified channel rejoin → leave then rejoin a specified channel op