W32.Backdoor.IRCBot.ncw

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Published:	12/06/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows
Type:	Spyware/Backdoor
MD5Sum:	1DBDDAD46127CDAC06A5F6E0D05780AE
SHA-1:	CDDD71704D139BA7A845608BFC4DF42BA3CD2981
Size:	33,280 Bytes

Synopsis

W32.Backdoor.IRCBot.ncw is a independent malicious program that connects to Internet Relay Chat as a client. It performs automated functions without user's consent or knowledge. It may allow a remote intruder to gain access and control over the system via an Internet Relay Chat channel.

Recommended Actions

1. Users are advised to open email attachments from trusted parties only.
2. Update Antivirus definitions.
3. Firewall rules should be updated.

iPolicy Networks Response

iPolicy Networks provides detection of IRCBot.ncw by following signatures:

W32.Backdoor.IRCBot.ncw_domain_resolve_attempt
W32.Backdoor.IRCBot.ncw_runtime_detection

Threat Analysis

W32.Backdoor.IRCBot.ncw performs the following activity when executed on the victim’s machine.

Host Level Activity:

File Changes:
W32.Backdoor.IRCBot.ncw drops the following files on the system:

%SYSTEMROOT%\raidhost.exe
%SYSTMROOT%\system32\YoItzVlad.tmp

Creates the following process in the system:

Process Name	ProcessFilename
raidhost.exe	%SYSTEMROOT%\raidhost.exe

* %SYSTEMROOT% referes to location C:\Windows or C:\Winnt

Registry Changes:
Creates following registry key to automatically run the program at the system restart:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ]
raidhost= "raidhost.exe"

Network Level Activity:

W32.Backdoor.IRCBot.ncw generates following requests upon execution

DNS request :

teamdos.org

Connect with the following remote host:

Host	Port
64.89.27.36	51987

IRC Communication with remote server:

NICK pLagUe{USA}{WAN}42111
USER pLagUe * ok .4.TeaM UniX b0at 0.4
:irc.lulz.ee NOTICE AUTH :GET: Http://www.google.com
:IRC!IRC@irc.lulz.ee PRIVMSG pLagUe{USA}{WAN}42111 :.VERSION.
:irc.lulz.ee 001 pLagUe{USA}{WAN}42111
:irc.lulz.ee 002 pLagUe{USA}{WAN}42111
:irc.lulz.ee 003 pLagUe{USA}{WAN}42111
:irc.lulz.ee 004 pLagUe{USA}{WAN}42111
:irc.lulz.ee 005 pLagUe{USA}{WAN}42111
:irc.lulz.ee 005 pLagUe{USA}{WAN}42111
:irc.lulz.ee 375 pLagUe{USA}{WAN}42111 :- irc.lulz.ee Message of the Day -
:irc.lulz.ee 372 pLagUe{USA}{WAN}42111 :- niggers~
:pLagUe{USA}{WAN}42111 MODE pLagUe{USA}{WAN}42111 :+i
MODE pLagUe{USA}{WAN}42111 -ix
JOIN #trees
PRIVMSG #trees :.4.New Infection - Morpheous Stub

References

http://www.virustotal.com/analisis/77a058511b...

Write-up by: Dheeraj Johri