Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:01/03/2006
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:38.400 Bytes
MD5 checksum:95965ebb920D87dac65880ac9af846c2
VDF version:
IVDF version: - Wednesday, March 1, 2006

 General Method of propagation:
   • Local network

   •  Kaspersky: Backdoor.Win32.IRCBot.pd
   •  TrendMicro: WORM_TIRBOT.G
   •  Sophos: Troj/IRCBot-PD
   •  Bitdefender: Backdoor.TirBot.F

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\MSDTCs.exe

The following file is created:

– Non malicious file:
   • %WINDIR%\msi486.dll

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • IECheck="%SYSDIR%\MSDTCs.exe"

 Network Infection Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

IP address generation:
It creates random IP addresses and tries to establish a connection with them.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: r3v3ng3.**********
Port: 6667
Channel: r1sUn10n

Server: r3v3ng3.**********
Port: 6667
Channel: r1sUn10n

Server: mast4.**********
Port: 6667
Channel: r1sUn10n

Server: squ4r3s.**********
Port: 6667
Channel: r1sUn10n

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about running processes
    • Size of memory
    • Username
    • Windows directory
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS UDP flood
    • Download file
    • Edit registry
    • Execute file
    • Kill process
    • Perform DDoS attack
    • Start spreading routine
    • Terminate malware
    • Terminate process
    • Updates itself
    • Upload file

 Miscellaneous Mutex:
It creates the following Mutex:
   • 1nUr4ssH0l3

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Ernest Szocs on Wednesday, October 3, 2007
Description updated by Ernest Szocs on Thursday, October 4, 2007

Back . . . .