Dorkbot, Hamweq, Kolab, Rimecud, Graftor, Tofsee, Ruskill, Ngrbot


Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)


  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


Infection Channel:

Propagates via removable drives, Downloaded from the Internet, Propagates via software vulnerabilities, Propagates via instant messaging applications, Propagates via social networking sites

The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands from a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT also used instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger.

This malware family has been around since 2005.

In 2010, an IRCBOT botnet dubbed as the “Chuck Norris” botnet emerged in the threat landscape. It targets vulnerable routers and DSL modems to propagate a worm, detected as WORM_IRCBOT.ABJ. Later that year, newer variants have used Facebook and Myspace to spread to other systems.


Memory Resident:



Connects to URLs/IPs


This backdoor drops the following copies of itself into the affected system:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
  • %User Profile%\Application Data\Ciwuww.exe
  • %User Profile%\Application Data\Fhwuwz.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe"

Ciwuww = "%User Profile%\Application Data\Ciwuww.exe"

Fhwuwz = "%User Profile%\Application Data\Fhwuwz.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • av.{BLOCKED}c.cz
  • av.{BLOCKED}en.cc
  • bt1.{BLOCKED}a.com
  • bt1.{BLOCKED}um.com
  • bt1.{BLOCKED}y.com
  • dl.{BLOCKED}k.com
  • fanta.{BLOCKED}er.com
  • haso.{BLOCKED}g.com
  • http://{BLOCKEDe.com/dl/143405707/43967b3/1c1.com
  • http://{BLOCKED}e.com/dl/147117570/df10b90/125.gif.exe
  • http://{BLOCKED}e.com/dl/148475728/eb6b618/x1010.exe
  • http://img103.{BLOCKED}h.com/2012/02/26/671531634.gif
  • http://img105.{BLOCKED}h.com/2012/02/26/306561211.gif
  • http://s530.{BLOCKED}le.com/get/{random}/{random}/2/8bf8cc5ef4a9bd85/8d98f50/x1010.exe
  • http://s679.{BLOCKED}le.com/get/{random}/{random}/2/c5cf22b016e0ae9a/8d98f09/botupx.exe
  • http://{BLOCKED}le.com/dl/139880406/883ef46/botxxxx1-2.exe
  • http://{BLOCKED}le.com/dl/148475657/93df7e1/botupx.exe
  • magazin.{BLOCKED}bila.com
  • matea.{BLOCKED}g.com
  • ng.{BLOCKED}llone.com
  • ng.{BLOCKED}oan.com
  • ng.{BLOCKED}opperz11.com
  • ng.{BLOCKED}ousez11.com
  • ng.{BLOCKED}tbaby.com
  • ngrbck0.{BLOCKED}van.info
  • ngrbck1.{BLOCKED}cija-reality.co.cc
  • ngrbck2.{BLOCKED}oup.co.za
  • niggers.{BLOCKED}s.ru
  • tamara.{BLOCKED}le-cache.com
  • up.{BLOCKED}at.org
  • up.{BLOCKED}ek.net
  • up.{BLOCKED}idic.net
  • up.{BLOCKED}s.in
  • up.{BLOCKED}y.in
  • xD.{BLOCKED}x.com
  • {BLOCKED}01.com
  • {BLOCKED}02.com
  • {BLOCKED}03.com
  • {BLOCKED}pwnme.net
  • {BLOCKED}t.ru
  • {BLOCKED}ud.com
  • {BLOCKED}v.info
  • {BLOCKED}v.info