Backdoor.Win32.IRCBot.abc

tag:Backdoors

The backdoor modifies system registry values to the values show below:

[HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
DisableRawSecurity = 1

The backdoor also terminstes the "sharedaccess" service.

It harvests passwords and information about Microsoft Outlook user accounts from the following registry key parameters:

[HKLM\Software\Microsoft\Internet Account Manager\Accounts]
SMTP Email Address
SMTP Server
SMTP Port
POP3 User Name
POP3 Server
POP3 Port
IMAP Port
IMAP Server
IMAP User Name
HTTPMail User Name
HTTPMail Server

It harvests passwords and information about Opera Mail user accounts from the configuration file:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the backdoor process.
Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).

Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Wupdate" = "

This Trojan provides a remote malicious user with access to the victim machine. It is managed via IRC. It is a Windows PE EXE file. It is 32,704 bytes in size.

Installation

When installing, the backdoor creates a system process, svchost.exe, and injects its code into process memory. The backdoor code will:

Copy the backdoor executable file to the Windows system directory The name that the backdoor will be saved under is created in the following way: a file is chosen at random from the system registry. A random lower case letter from the Latin alphabet is added to the end of the file name, as is an .exe extension.
In order to ensure that the backdoor is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Wupdate" = "<ltpath to backdoor executable file>"
```

Payload

previous:Backdoor.win32.Small.cz
previous:Backdoor.Win32.Jix.a

Virus Source from:

New articles

TROJ_ARTIEF.SMThis Trojan exploits the RTF Stack Overflow vulnerability to drop and execute TROJ_INJECT.ART. This Trojan may be unknowingly downloaded by a user while visi...ANDROIDOS_GEINIMI.AThis backdoor may be unknowingly downloaded by a user while visiting malicious websites. Backdoor Routine This backdoor executes the following commands from...P2P-Worm.Win32.BlackControl.gThe malicious program intercepts the user’s requests to various sites and redirects them to a malicious URL. It also contains a tool for sending phishin...Backdoor.Win32.Bredolab.euaA malicious program that receives commands from a management server to download other malware to a computer. To ensure that it is launched automatically when t...Backdoor.Farfli.ABCommonly it commes as an installer so it can drop several files, detected by Bitdefender as adware (Adware.Cinmus) or tojan-downloaders.It modifies the memory o...

Hot Articles

Backdoor.Win32.IRCBot.abc

Computer Virus Clounds