Backdoor.Perl.SHELLBOT.AG

March 02, 2021
 Analysis by: Thea Patrice Tajonera
 ALIASES:

Backdoor:Perl/Shellbot.S (MICROSOFT); IRC.Backdoor.Trojan (NORTON)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers.

  TECHNICAL DETAILS

File Size:

28,938 bytes

File Type:

PL

Memory Resident:

Yes

Initial Samples Received Date:

28 Feb 2021

Payload:

Connects to URLs/IPs

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

  • http://{BLOCKED}e.com/.x/b

Backdoor Routine

This Backdoor connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}.{BLOCKED}.61.106:8080

It joins any of the following IRC channel(s):

  • #xmr1

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

  • portscan -> Scans the following ports: 21, 22, 23, 25, 53, 80, 110, 143 of a specific IP
  • download -> Downloads a file
  • fullportscan -> Scans for open ports of a specific hostname
  • udp -> UDP flooding
  • udpfaixa -> Infinite UDP flooding
  • conback -> Connect to arbitrary socket
  • oldpack -> Simultaneous ICMP, UDP, IGMP, TCP flooding on open ports with statistics report
  • IRC Control:
    • join: joins a channel
    • part: leaves a channel
    • rejoin: leaves and rejoins a channel
    • op: grants a user an operator status
    • deop: revokes a user's operator status
    • voice: grants a user a voice status
    • devoice: revokes a user's voice status
    • msg: sends a message
    • flood: sends a message for a specified number of times
    • ctcpflood: sends a client to client protocol request to a specified user or channel for a specified number of times
    • ctcp: sends a client to client protocol request to a specified user or channel
    • invite: invites a user to join the channel
    • nick: changes a nickname
    • conecta: connects to a specified server with the port 6667
    • send: establishes a direct connection to a user
    • raw: toggles raw event processing
    • eval: executes the specified code
    • entra: joins a channel after a random amount of seconds
    • sai: leaves a channel after a random amount of seconds
    • sair: disconnects from a server
    • novonick: changes the nickname to Z{random number}
    • estatisticas: toggles the statistics flag
    • pacotes: toggles the packets flag

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

16.566.07

FIRST VSAPI PATTERN DATE:

28 Feb 2021

VSAPI OPR PATTERN File:

16.567.00

VSAPI OPR PATTERN Date:

01 Mar 2021

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Perl.SHELLBOT.AG. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.