Threat Descriptions

Backdoor:W32/IRCBot.DDR

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

Backdoor:W32/IRCBot.DDR

Summary

A Bot, sometimes referred to as Zombie, is a computer that has been infected with malware that allows a remote malicious user access to the computer. This Bot attempts to spread via MSN Messenger.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Upon execution this malware drops a copy of itself in the following directory:

  • %windir%\livemessenger.com

Note: %windir% is typically C:\Windows

It also displays the following:

There is no picture, the message is false and is used as a decoy.

It creates an autostart function by adding the following registry keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Update = livemessenger.com
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Microsoft Update = livemessenger.com
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx Microsoft Update = livemessenger.com

It disable the Task Manager and the Registry Editor by setting the following:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = 00000001 DisableRegistrytools = 00000001

This backdoor has keylogging capabilities and saves all the data to the following location:

  • %windir%\admintxt.txt.

Like many other typical Bots, it connects to a server on port 1863 and waits for a command from a remote hacker.

IRCBot attempts to connect to the following site:

  • http://msg.sig-clan.com

This Bot has the following commands:

  • Download and execute files
  • Get the Bot's up-time
  • Join/Quit IRC channel
  • Key-logging
  • Kill processes
  • Send private message on IRC
  • Spread the Bot via MSN messenger
  • Update the Bot