Port scanning. The program may collect personal information stored in the computer. This Trojan has its very own IRC or Internet Relay Chat client that can connect to IRC channels. The use of IRC separates threats from their traditional back door and worm counterparts in that the hacker does not issue commands directly to the back door. have a peek at these guys
v t e Retrieved from "https://en.wikipedia.org/w/index.php?title=Backdoor.Win32.IRCBot&oldid=732156937" Categories: Computer wormsMalware stubsHidden categories: All stub articles Navigation menu Personal tools Not logged inTalkContributionsCreate accountLog in Namespaces Article Talk Variants Views Read Edit View It attempts to join IRC channels and opens back doors to allow remote access to an infected machine. action=Open folder to view files shell\open=Open shell\open\command=OGa\RD\GOx.exe shell\open\default=1 The following registry Keys has been added to the system. The following registry values have been added to the system [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Driver Control Manager v3.6 = "%Temp%\trinaest.exe" [HKEY_CURRENT_USER\-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run] Driver Control Manager v3.6 = "%Temp%\trinaest.exe" The above two registry entries confirms that,
The file "AutoRun.inf" is pointing to the malware binary executable. They are spread manually, often under the premise that they are beneficial or wanted. Update the BOT. voc !!
It connects to a remote IRC server in order to receive instruction from a remote attacker. Once installed on a PC, the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's An attacker usually gathers a large number of computers infected with W32.IRCBot worms and uses them as a bot network, controlled through IRC. https://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=3 Checks the BOT's ID and version.
The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Our partner has a trojan horse removal tool to automatically clean W32.IRCBot from your computer. Check the up-time of the BOT Logout from the BOT. An attacker can gain control over the compromised computer and use it to send spam or install further malware system to another.
Share the knowledge on our free discussion forum. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/IRCbot It can also record running programs in the computer. If you require support, please visit the Safety & Security Center.Other Microsoft sitesWindowsOfficeSurfaceWindows PhoneMobile devicesXboxSkypeMSNBingMicrosoft StoreDownloadsDownload CenterWindows downloadsOffice downloadsSupportSupport homeKnowledge baseMicrosoft communityAboutThe MMPCMMPC Privacy StatementMicrosoftCareersCitizenshipCompany newsInvestor relationsSite mapPopular resourcesSecurity and privacy Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
They are spread manually, often under the premise that they are beneficial or wanted. In order to lure the user to execute the file, it uses an icon that resembles a Folder Icon. Writeup By: Candid Wueest Summary| Technical Details| Removal Search Threats Search by nameExample: W32.Beagle.AG@mm INFORMATION FOR: Enterprise Small Business Consumer (Norton) Partners OUR OFFERINGS: Products Products A-Z Services Solutions CONNECT WITH An attacker can gain control over the compromised computer and use it to send spam or install further malware.
Access files through a Shell. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. It may also monitor the website the user visits. check my blog W32.IRCBot Removal Tool If you have Malware on your computer it will cause annoyances and will damage your system.
The file downloaded is detected as Backdoor.Win32.IRCBot.WT. List/Terminate processes. It will then wait for instructions permitting a remote hacker to carry out a host of malicious actions on the compromised machine.
It then waits for commands from a remote user.
Learn More About About Company News Investors Careers Offices Labs Labs Labs blog Latest threats Remove threats Submit a sample Beta programs Support Support Knowledge base Software updates Community Support Tools Get advice. Commands that can be remotely executed include downloading and executing files. The following folders has been added to the system. %SystemDrive%\OGa %SystemDrive%\OGa\RD [Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\] ----------------- -----UpdateFebruary
The W32.IRCBot Trojan application allegedly has keylogger functionality. Aliases Microsoft-Worm:Win32/Dorkbot!lnkKaspersky-Trojan.WinLNK.Runner.blIkarus-Worm.Win32.DorkbotFortinet-LNK/AutoRun.HXW!trDrweb-Win32.HLLW.Autoruner.59834Minimum Engine 5600.1067 File Length Varies Description Added 2011-12-09 Description Modified 2012-09-11 Malware Proliferation W32/IRCBot.gen.bs!lnk is a link file which is dropped by the file 13a0ea84.exe [Detected as Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. Antivirus Protection Dates Initial Rapid Release version July 9, 2002 Latest Rapid Release version January 31, 2017 revision 018 Initial Daily Certified version July 9, 2002 revision 007 Latest Daily Certified
It connects to a remote IRC server in order to receive instruction from a remote attacker.