Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

BKDR_IRCBOT


ALIASES:

Dorkbot, Hamweq, Kolab, Rimecud, Graftor, Tofsee, Ruskill, Ngrbot

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Backdoor

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via removable drives, Downloaded from the Internet, Propagates via software vulnerabilities, Propagates via instant messaging applications, Propagates via social networking sites


The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands to a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT also used instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger.

This malware family has been around since 2005.

In 2010, an IRCBOT botnet dubbed as the “Chuck Norris” botnet emerged in the threat landscape. It targets vulnerable routers and DSL modems to propagate a worm, detected as WORM_IRCBOT.ABJ. Later that year, newer variants have used Facebook and Myspace to spread to other systems.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This backdoor drops the following copies of itself into the affected system:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
  • %User Profile%\Application Data\Ciwuww.exe
  • %User Profile%\Application Data\Fhwuwz.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Ciwuww = "%User Profile%\Application Data\Ciwuww.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fhwuwz = "%User Profile%\Application Data\Fhwuwz.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • av.{BLOCKED}c.cz
  • av.{BLOCKED}en.cc
  • bt1.{BLOCKED}a.com
  • bt1.{BLOCKED}um.com
  • bt1.{BLOCKED}y.com
  • dl.{BLOCKED}k.com
  • fanta.{BLOCKED}er.com
  • haso.{BLOCKED}g.com
  • http://{BLOCKEDe.com/dl/143405707/43967b3/1c1.com
  • http://{BLOCKED}e.com/dl/147117570/df10b90/125.gif.exe
  • http://{BLOCKED}e.com/dl/148475728/eb6b618/x1010.exe
  • http://img103.{BLOCKED}h.com/2012/02/26/671531634.gif
  • http://img105.{BLOCKED}h.com/2012/02/26/306561211.gif
  • http://s530.{BLOCKED}le.com/get/{random}/{random}/2/8bf8cc5ef4a9bd85/8d98f50/x1010.exe
  • http://s679.{BLOCKED}le.com/get/{random}/{random}/2/c5cf22b016e0ae9a/8d98f09/botupx.exe
  • http://{BLOCKED}le.com/dl/139880406/883ef46/botxxxx1-2.exe
  • http://{BLOCKED}le.com/dl/148475657/93df7e1/botupx.exe
  • magazin.{BLOCKED}bila.com
  • matea.{BLOCKED}g.com
  • ng.{BLOCKED}llone.com
  • ng.{BLOCKED}oan.com
  • ng.{BLOCKED}opperz11.com
  • ng.{BLOCKED}ousez11.com
  • ng.{BLOCKED}tbaby.com
  • ngrbck0.{BLOCKED}van.info
  • ngrbck1.{BLOCKED}cija-reality.co.cc
  • ngrbck2.{BLOCKED}oup.co.za
  • niggers.{BLOCKED}s.ru
  • tamara.{BLOCKED}le-cache.com
  • up.{BLOCKED}at.org
  • up.{BLOCKED}ek.net
  • up.{BLOCKED}idic.net
  • up.{BLOCKED}s.in
  • up.{BLOCKED}y.in
  • xD.{BLOCKED}x.com
  • {BLOCKED}01.com
  • {BLOCKED}02.com
  • {BLOCKED}03.com
  • {BLOCKED}pwnme.net
  • {BLOCKED}t.ru
  • {BLOCKED}ud.com
  • {BLOCKED}v.info
  • {BLOCKED}v.info

Featured Stories

Connect with us on