Threat Descriptions

Novabot

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

Novabot, Backdoor.IRC.Cloner

Summary

UPDATE ON 23RD OF JANUARY 2003

We have been monitoring the IRC network created by Novabot. During last 10 hours of 22nd of January, we saw close to 3000 bots from different IP addresses joining the attack network (although no more than 1000 of them can be accessible at a time as the IRC server has a thousand user limit). Around 21:00 GMT the IP address of the IRC server changed to 0.0.0.0 - making the server inaccessible. Before this we witnessed a person actively sending commands to the bots over the IRC channel. We will continue to monitor the situation.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The IRC backdoor allows remote control of the system via a IRC channel. Upon request, the IRC part can be asked to scan a block of IP addresses from an infected machine. The scanning attempts to connect each IP addess using a predefined list of username and password combinations as follows: 

	Username	Password 	Administrator	empty 	Administrator	admin 	Administrator	administrator 	root		root 	admin		admin 	administrator	test 	test		test 	administrator	test123 	administrator	temp 	administrator	pass 	administrator	password 	administrator	changeme

If authentication passes, the "files.exe" is executed on the remote machine thus infecting it.

The "files.exe" is a setup package, that installs the backdoor to "C:\winnt\INF\other" and runs "taskmngr.exe" which is a repacked mIRC client. The mIRC client will then run "nt32.ini" instead of standard "script.ini" used by mIRC client.

After that the backdoor connects to the IRC server and joins the predefined channel. It generates a random nickname for each infected machine (consisting of four characters and five digits). It sets itself to start on the reboot via registry by adding the following key: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Run32dll

Then the backdoor waits for commands. These commands include ability to download and execute programs.

To operate the backdoor uses set of scripts and binary files, as follows: 

	hide.exe	Tool used to hide application 	mdm.exe		Tool used to hide application 	psexec.exe	Remote execution tool 	taskmgr.exe	Repacked mIRC client 	backup.bat	Batch script that attempts to infect remote host 	nt32.ini	Main mIRC script 	remote.ini	mIRC script that connects the server 	seced.bat	Batch file 	start.bat	Copies the "files.exe" from the Windows system32 			directory to "C:\winnt\INF\other" 	win32.mrc	mIRC script

F-Secure Anti-Virus detects this backdoor with the current updates.