arrow_back
search
close

Backdoor.Perl.SHELLBOT.AC

July 23, 2020
 Analysis by: Kennard Yap
 PLATFORM:

Windows; Unix

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel.

  TECHNICAL DETAILS

File Size:

38,043 bytes

File Type:

PL

Memory Resident:

Yes

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}.{BLOCKED}.{BLOCKED}.227:80
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.227:23
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.227:143
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.227:3389
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.227:6667

It joins any of the following Internet Relay Chat (IRC) channels:

  • #y

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • portscan: scan the ports 21, 22, 23, 25, 53, 80, 110, 143
  • download: downloads a file
  • fullportscan: scans for open ports in a specific host
  • udp: UDP flooding
  • udpfaixa: infinite UDP flooding
  • conback: connects to a specific socket
  • oldpack: ICMP, IGMP, UDP, TCP flooding
  • IRC Control:
    • join: joins a channel
    • part: leaves a channel
    • rejoin: leaves and rejoins a channel
    • op: grants a user an operator status
    • deop: revokes a user's operator status
    • voice: grants a user a voice status
    • devoice: revokes a user's voice status
    • msg: sends a message
    • flood: sends a message for a specified number of times
    • ctcpflood: sends a client to client protocol request to a specified user or channel for a specified number of times
    • ctcp: sends a client to client protocol request to a specified user or channel
    • invite: invites a user to join the channel
    • nick: changes a nickname
    • conecta: connects to a specified server with the port 6667
    • send: establishes a direct connection to a user
    • raw: toggles raw event processing
    • eval: executes the specified code
    • entra: joins a channel after a random amount of seconds
    • sai: leaves a channel after a random amount of seconds
    • sair: disconnects from a server
    • novonick: changes the nickname to dark{ranndom number}
    • estatisticas: toggles the statistics flag
    • pacotes: toggles the packets flag

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.722.02

FIRST VSAPI PATTERN DATE:

04 Feb 2020

VSAPI OPR PATTERN File:

15.723.00

VSAPI OPR PATTERN Date:

05 Feb 2020

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Perl.SHELLBOT.AC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.