My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.IRCBot.ACTN

MEDIUM
MEDIUM
~75 kbytes
(Net-Worm.Win32.Kolab.dgc; BackDoor.IRC.Sdbot.5096; W32/Kolab.DGC!worm.im)

Symptoms

- Security Center service is disabled

- presence of a file named usb_magr.exe in %WINDOWS% folder

- presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: Universal Serial Bus device
Value: usb_magr.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

   This worm is packed and encrypted in order to avoid av detection and hide its malicious purpose. When first run, it creates a hidden copy of itself in %WINDOWS% folder, under usb_magr.exe and adds the following value to registry to ensure that this copy will be executed at every system start up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: Universal Serial Bus device
Value: usb_magr.exe

    Next, it drops a file named x.bat which will stop the Security Center service and then deletes itself. As a consequence of disabling this service, the user won't be notified if virus protection, firewall and automatic updates are enabled or not.

    In order to spread itself through removable drives it creates an autorun.inf file pointing to a copy of itself found in:
C:\RECYCLER \S-1-6-21-2434476501-1644491937-600003330-1213\ folder

    Then it will try to connect to an irc channel using the following data:
User: MEAT* 0
Nick: {iNF-00-USA-<operating_system>-<computer_name>-<random_number>}
Pass: prison

    By opening this backdoor the attacker will be able to control the system, download other files or upgraded versions of itself, execute irc commands, sending messages to all the contacts in user's messenger list.