Virus:TR/IRCBot.MX
Date discovered:20/01/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:196.608 Bytes
MD5 checksum:1a8676220F19f1b0052dc59fac6ad94f
VDF version:6.33.00.144

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.IRCBot.mx
   •  TrendMicro: BKDR_IRCBOT.DU
   •  Bitdefender: Backdoor.IRCBot.MX

It was previously detected as:
   •  Worm/IRCBot.MX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\SysCfg.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SysCfg" = "%SYSDIR%\SysCfg.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "kl" = dword:00000000
   • "keep1" = dword:00000000
   • "keepnick1" = "r"
   • "name1" = "Realname"
   • "user1" = "user"
   • "nick1" = "Nick%two-digit random character string%"
   • "port1" = "6667"
   • "server1" = %IRC server%

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.lub**********
Port: 6667
Channel: #chimera
Nickname: Nick%two-digit random character string%
Password: software

Server: open.pl.irc**********
Port: 6667
Channel: #chimera
Nickname: Nick%two-digit random character string%
Password: software

Server: poznan.i**********
Port: 6667
Channel: #chimera
Nickname: Nick%two-digit random character string%
Password: software

Server: warszawa**********
Port: 6667
Channel: #chimera
Nickname: Nick%two-digit random character string%
Password: software


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform DDoS attack
    • Send emails
    • Start keylog
    • Updates itself

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Wednesday, February 8, 2006
Description updated by Andrei Ivanes on Wednesday, February 15, 2006

Back . . . .