Backdoor.IrcContact

Symantec Security Response - Backdoor.IrcContact

Backdoor.IrcContact is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 6667 on the infected computer. Backdoor.IrcContact is packed using ASPack v2.12.

Also Known As: Backdoor.IrcContact.20 [AVP]
Type: Trojan Horse
Infection Length: 41,472 bytes, 40,448 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

technical details

When Backdoor.IrcContact runs, it performs the following actions:

It copies itself as Syswin32.exe or Syswin.exe into the %system% folder. In addition, it drops the file Syswin32.dll or Syswin.dll (this is a text file that contains the Trojan's connection settings) into the %system% folder.

NOTE: %system% is a variable. The Trojan locates the System folder and copies the files to that location. By default this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The Trojan creates one of these values

syswin32 %system%\syswin32.exe
syswin %system%\syswin.exe

in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start or restart Windows.

If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process, so that it continues to run after you log off. In this case, Backdoor.IrcContact closes only when the system is shut down.

After Backdoor.IrcContact is installed, it joins a specific IRC channel and then waits for commands from the remote client. The commands allow the hacker to perform the following actions:

• Deliver system and network information to the hacker
• Manage the installation of the backdoor Trojan
• Download and execute files
• Perform Denial of Service (DoS) attacks
• Inventory and activate windows of programs that are running
• Restart the computer

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Do one of the following:
Windows 95/98/Millenium: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
3. Run a full system scan, and delete all files that are detected as Backdoor.IrcContact.
4. Reverse the changes that the Trojan made to the registry.

To restart the computer in Safe mode or end the Trojan process:

• Windows 95/98/Millenium
  Restart the computer in Safe mode. All Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.
• Windows NT/2000/XP
  To end the Trojan process:
  • 
    1. Press Ctrl+Alt+Delete once.
    2. Click Task Manager.
    3. Click the Processes tab.
    4. Double-click the Image Name column header to sort the processes alphabetically.
    5. Scroll through the list, and look for Syswin32.exe or Syswin.exe.
    6. If you find the file, click it, and then click End Process.
    7. Exit the Task Manager.

To scan for and delete the infected files:

• 
  1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
  • Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
  • Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
  2. Run a full system scan.
  3. If any files are detected as infected with Backdoor.IrcContact, click Delete.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

• 
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the value
  
  syswin32 %system%\syswin32.exe
  
  or
  
  syswin %system%\syswin.exe
  
  5. Exit the Registry Editor.