Discussion in 'malware problems & news' started by Marianna, Feb 19, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Date Discovered: 10/24/2003
    Date Added: 2/19/2004
    Origin: Unknown
    Length: 912022 bytes
    Type: Trojan

    This is a detection for an IRC Bot offering various backdoor and flood capablilities to an attacker. It's writen in MIRC script and uses a patched version of Mirc as well as some other external programs and DLL's.
    An attacker can gain access to the harddrive of an infected machine, such as down/upload information or programs and execute them - or terminating running processes. Query the machine for the 'CD-Key' from a few online games or for general system information.

    The bot can be used from by an attacker as HTTP proxy or BNC in order to relay connections.

    On command, the bot tries to connect to machines within the local network using IPC$ and weak username and password combinations.

    The arrives in a package and when executed, it drops several files on the disk:

    Filename Filesize
    Detection name
    BOOT.EXE 37376 application RemoteProcessLaunch
    DCOM.EXE 15872 Exploit-DcomRpc.gen
    EMPAVMS.EXE 20992 application HideRun
    FLOOD.OCX 1930 IRC/
    GFXV.EXE 45056 IPCScan
    HACK.BAT 74 IRC/
    HID.EXE 29696 application HideExec
    JAVA.DLL 5378 IRC/Flood.ap
    JNCO32.EXE 17920 FDoS-Mixtar
    KI.EXE 77824 application PSKilL
    LAN.BAT 43663 Bat/pas4
    LIBPARSE.EXE 25600 application PrcView
    LSASS.EXE 556544 IRC/Flood.mirc
    MOO.DLL 34304 application MotherboardMonitor
    NEWUSER.BAT 6699 NTRootKit-B.bat
    NHTML.DLL 6656 application IRC/Flood.tool
    NTDZM.EXE 28192 W32/Sdbot.worm.gen
    REMOTE.INI 6217 IRC/Generic Flooder
    RUN.BAT 115 IRC/Flood.bat.f
    SCREEN.DLL 21758 IRC/
    SE2WIN32.EXE 912022 IRC/
    SIPG.OCX 4341 IRC/
    SYSTE32.DLL 1320 IRC/
    TEAW.EXE 28160 IRC/Flood.db
    TELNET.DLL 6184 IRC/Generic Flooder
    TEMP 4903 IRC/
    TVCHOST32.EXE 14336 FDoS-Mixtar
    WINCMD34.BAT 15325 IRC/
    WIND.DLL 3914 IRC/

    Indications of Infection

    Existance of files and registry keys mentioned before.
    Network traffic to IRC server
  2. -KRAM-

    -KRAM- Guest

    flooderZ ?

    can u give the site where can i download the mirc or irc flooder ? or a mirc flooder script or addOns ? plz ?thanx....
  3. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York
    Re: flooderZ ?

    No... :rolleyes:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.