Virus:BDS/IRCBot.NB.1
Date discovered:25/01/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:51.225 Bytes
MD5 checksum:3236fe1cfdf7f4ad1ee178181e2bddb2
VDF version:6.33.00.155

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: BKDR_IRCBOT.DT
   •  Bitdefender: Backdoor.IRCBot.NB


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\drivers\winlogon.exe

 Registry The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\drivers\winlogon.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: irc.i1**********
Port: 6667
Channel: #pyro6
Nickname: %computer name%[%seven-digit random character string%]



– This malware has the ability to collect and send information such as:
    • Capture screen
    • CPU speed
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about running processes
    • Size of memory
    • Username
    • Windows directory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Register a service
    • Shut down system

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe

   If the malware fails, it continues running as a process.

 Miscellaneous String:
Furthermore it contains the following string:
   • IRCBot (v.0.1a) (C) KEZ <kez@antichat.ru> (Respect to 777)

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Friday, February 10, 2006
Description updated by Daniel Constantin on Monday, February 13, 2006

Back . . . .