Backdoor.IrcContact

Discussion in 'malware problems & news' started by Randy_Bell, Nov 19, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - Backdoor.IrcContact

    Backdoor.IrcContact is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 6667 on the infected computer. Backdoor.IrcContact is packed using ASPack v2.12.

    Also Known As: Backdoor.IrcContact.20 [AVP]
    Type: Trojan Horse
    Infection Length: 41,472 bytes, 40,448 bytes
    Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

    technical details

    When Backdoor.IrcContact runs, it performs the following actions:

    It copies itself as Syswin32.exe or Syswin.exe into the %system% folder. In addition, it drops the file Syswin32.dll or Syswin.dll (this is a text file that contains the Trojan's connection settings) into the %system% folder.

    NOTE: %system% is a variable. The Trojan locates the System folder and copies the files to that location. By default this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    The Trojan creates one of these values

    syswin32 %system%\syswin32.exe
    syswin %system%\syswin.exe

    in the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the Trojan starts when you start or restart Windows.

    If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process, so that it continues to run after you log off. In this case, Backdoor.IrcContact closes only when the system is shut down.

    After Backdoor.IrcContact is installed, it joins a specific IRC channel and then waits for commands from the remote client. The commands allow the hacker to perform the following actions:

    • Deliver system and network information to the hacker
    • Manage the installation of the backdoor Trojan
    • Download and execute files
    • Perform Denial of Service (DoS) attacks
    • Inventory and activate windows of programs that are running
    • Restart the computer

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Do one of the following:
    Windows 95/98/Millenium: Restart the computer in Safe mode.
    Windows NT/2000/XP: End the Trojan process.
    3. Run a full system scan, and delete all files that are detected as Backdoor.IrcContact.
    4. Reverse the changes that the Trojan made to the registry.

    To restart the computer in Safe mode or end the Trojan process:

    • Windows 95/98/Millenium
      Restart the computer in Safe mode. All Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.
    • Windows NT/2000/XP
      To end the Trojan process:

      • 1. Press Ctrl+Alt+Delete once.
        2. Click Task Manager.
        3. Click the Processes tab.
        4. Double-click the Image Name column header to sort the processes alphabetically.
        5. Scroll through the list, and look for Syswin32.exe or Syswin.exe.
        6. If you find the file, click it, and then click End Process.
        7. Exit the Task Manager.

    To scan for and delete the infected files:


    To reverse the changes that the Trojan made to the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.


    • 1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the key

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      4. In the right pane, delete the value

      syswin32 %system%\syswin32.exe

      or

      syswin %system%\syswin.exe

      5. Exit the Registry Editor.
     
Thread Status:
Not open for further replies.