A hidden mIRC window
Intense network activity (flooding other servers)
BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Reboot the computer
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Backdoor.IRC.Spup.A.
To prevent the virus to exploit the Web Server Folder Traversal
vulnerability in Microsoft IIS 4.0 and 5.0 apply the patch released by Microsoft since August 2000 (Microsoft Security Bulletin MS00-078
Mihai Neagu BitDefender Virus Researcher
Infection succeeds by using the Web Server Folder Traversal
vulnerability in Microsoft IIS 4.0 and 5.0 described in Microsoft Security Bulletin MS00-078
. A patch for this issue was released by Microsoft since August 2000.
To the infected computer, a file is uploaded and executed: c:\Winnt\project\By.eXe
. When ran, it unpacks a mIRC executable, an executable used to hide the mIRC window, a moo.dll file that provides functions that inspect the computer, and the script files.
The viral code lies only in the script files that mIRC uses. Also a registry key is created to ensure mIRC will run everytime the victim machine will boot: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
This is an excellent example of a distributed attack: the infected machines will connect to the IRC server qwe.pups.net.ru on a non-standard port. They will join the channel #c0de54135
on that server and take the topic channel that tells them what to do: flood or portscan specific servers. The channel operator, or a user who identifies himself to the victims IRC clients, can also post commands to the victim computers.
This is a dangerous backdoor because it uses *all* the infected machines to attack the same target computer at the same time. The author also put an ICQ routine, so as to be contacted by infected machines. The virus attempts to auto-update from a FTP server.