Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Ircbrute.A.41
Date discovered:26/05/2009
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:380.341 Bytes
MD5 checksum:6845f2142762e16f27954662b5ffcd00
VDF version:7.01.04.18
IVDF version:7.01.04.19 - Tuesday, May 26, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Bitdefender: Trojan.Generic.8995027
     AVG: Generic8_c.CXJ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
    Can be used to execute malicious code
   • Registry modification

 Files The following file is created:

Non malicious file:
   • %temporary internet files%\Content.IE5\G9YZGDQJ\ip2country.hackers[1].htm

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Wind Update Agent"="C:\WindowsDirectory\systembinx64.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Wind Updater Agenta"="C:\WindowsDirectory\systembinx64.exe"



The following registry keys are added in order to load the services after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoSaveSettings"="dword:0x00000001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "EnableLUA"="dword:0x00000000"

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters]
   • "EnableFirewall"="dword:0x00000000"

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"="dword:0x00000000"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
   • "EnableFirewall"="dword:0x00000000"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"="dword:0x00000000"



The following registry keys are added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableChangePassword"="dword:0x00000001"
   • "DisableRegistryTools"="dword:0x00000001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "LockTaskbar"="dword:0x00000001"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • ip2**********.hackers.lv
   • %random character string%.INFO


Event handler:
It creates the following Event handlers:
   • GetProcessWindowStation
   • FileTimeToLocalFileTime
   • LocalFileTimeToFileTime
   • LookupPrivilegeValueW
   • GetVolumeInformationW
   • SetSystemPowerState
   • DRIVEGETFILESYSTEM
   • LoadUserProfileW
   • RemoveDirectoryW
   • CreateDirectoryW
   • DuplicateHandle
   • GetStartupInfoW
   • DeviceIoControl


String:
Furthermore it contains the following strings:
   • AUTOIT NO CMDEXECUTE<<<
   • TCPNAMETOIP
   • TCPSHUTDOWN

Description inserted by Wensin Lee on Monday, April 29, 2013
Description updated by Wensin Lee on Monday, April 29, 2013

Back . . . .