Cart
Backdoor.IRC.Spup.A( Backdoor.IRC.Mox (Kaspersky), IRC/Flood.y (McAfee), Troj/Flood-Y (Sophos) )
SYMPTOMS: TECHNICAL DESCRIPTION: Infection succeeds by using the Web Server Folder Traversal vulnerability in Microsoft IIS 4.0 and 5.0 described in Microsoft Security Bulletin MS00-078. A patch for this issue was released by Microsoft since August 2000.To the infected computer, a file is uploaded and executed: c:\Winnt\project\By.eXe. When ran, it unpacks a mIRC executable, an executable used to hide the mIRC window, a moo.dll file that provides functions that inspect the computer, and the script files. The viral code lies only in the script files that mIRC uses. Also a registry key is created to ensure mIRC will run everytime the victim machine will boot: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] Subkey: byeXe Value: c:\\Winnt\\project\\By.eXe This is an excellent example of a distributed attack: the infected machines will connect to the IRC server qwe.pups.net.ru on a non-standard port. They will join the channel #c0de54135 on that server and take the topic channel that tells them what to do: flood or portscan specific servers. The channel operator, or a user who identifies himself to the victims IRC clients, can also post commands to the victim computers. This is a dangerous backdoor because it uses *all* the infected machines to attack the same target computer at the same time. The author also put an ICQ routine, so as to be contacted by infected machines. The virus attempts to auto-update from a FTP server. Removal instructions: BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
ANALYZED BY: Mihai Neagu BitDefender Virus Researcher |