| Visit ThreatExpert web site | | | Close Report |
[Kaspersky Lab]| What's been found | Severity Level |
| Communication with a remote IRC server. |  |
| Downloads/requests other files from Internet. | |
| Creates a startup registry entry. |  |
| Contains characteristics of an identified security risk. |  |
 | Possible Security Risk |
| Security Risk | Description |
| Backdoor.IRCBot |
Backdoor.IRCBot is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities. |
| Backdoor.mIRC |
Backdoor.mIRC is a backdoor trojan which makes use of the popular mIRC client. It opens ports and allows unauthorized access to an attacker. It is also capable of hijacking a users browser startpage. |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 |
%System%\184802.reg
%System%\239188.reg %System%\242202.reg %System%\252666.reg %System%\260514.reg %System%\423181.reg %System%\472955.reg %System%\840069.reg %System%\913642.reg |
129 bytes | MD5: 0xBE83AE1BB6EB29494C6DE87256797983 SHA-1: 0x00EC555BBD22C631DD7D86DF633E70F3F5C8BE35 |
(not available) |
| 2 | %System%\cls.jpg | 11,831 bytes | MD5: 0xC70A0B22A4C4335216CD6CCBD50F24C2 SHA-1: 0xE7390BAB812B0E829FDAB98855B33B2F2B321FE1 |
(not available) |
| 3 | %System%\microsoft.ico | 25,214 bytes | MD5: 0xD151B2C9E86BD1A16ED71BDCA67D5170 SHA-1: 0xA72DEE47CDC6926FBE9F12F2DAC795D518088089 |
(not available) |
| 4 |
%System%\mirc.exe
|
1,790,464 bytes | MD5: 0xB766003F431CAD186BD115F5761592D1 SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 |
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] IRC/Client [McAfee] |
| 5 | %System%\mirc.ini | 2,379 bytes | MD5: 0x958DE9E0437414FA5D50D28B629331FF SHA-1: 0x4F986F9C57767E8CC63C49111D430A747AF04794 |
IRC/Flood.gen.b [McAfee] Backdoor:IRC/Zcrew.gen [Microsoft] |
| 6 |
%System%\msdlg.dll
|
42,496 bytes | MD5: 0x1FC5FA56F41E3D4F35EC1CC3781EF734 SHA-1: 0x33D126879780306DAB2ADCF8EA93D6094BC7647C |
(not available) |
| 7 | %System%\no.jpg | 13,992 bytes | MD5: 0x2C0B97C41BCE09DB1D557E095640DDB2 SHA-1: 0x04002C962B42C497B7DD37D397C1254D728A611D |
(not available) |
| 8 | %System%\realms.ini | 13 bytes | MD5: 0x3BAFBDC42C9191105D30BDF3FDEB6D1F SHA-1: 0x54E2744F8F683827DA0CE4A32465489DAB06BE4D |
(not available) |
| 9 | [file and pathname of the sample #1] | 1,635,203 bytes | MD5: 0x108DAF642D3A5D20C42CA97484798B94 SHA-1: 0x4332E0041B4BF9CEC174193E6CCFA1389B671DC5 |
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] |
| 10 |
%System%\softwares.dll
|
29,184 bytes | MD5: 0x2DB18780EA5D7FF0D3CF0DE32B844164 SHA-1: 0xD277DB0B9F9374CE19EABA4AA82D4AE8DC5D3B11 |
(not available) |
| 11 |
%System%\stray.dll
|
57,344 bytes | MD5: 0x4EFDA9E772236541A12189C26801C97B SHA-1: 0x7F0200C46A6CA3593FA3C43DAAC5071589E82307 |
(not available) |
| 12 |
%System%\uinput.dll
|
24,874 bytes | MD5: 0x75067D1AA536D762E4819824B5A9353F SHA-1: 0xA473DB85846A120C0B24B0DAF520614E46108AB0 |
(not available) |
| 13 | %System%\value.ini | 48 bytes | MD5: 0xB03BBB8110ABFFA59A7871980BD87D45 SHA-1: 0x9C880BC98542ABC26B9BC963503FF3B1AB4BD1B3 |
(not available) |
| 14 |
%System%\winwizard.dll
|
18,195 bytes | MD5: 0x1E64DAAA3D567DF1D82862931682AF12 SHA-1: 0x54702D7141E085DF9B1468D0CF8418FE2E4DE8D5 |
Backdoor:IRC/Cloner.B [Microsoft] |
| 15 | %System%\wlm.jpg | 39,642 bytes | MD5: 0xAAB489DD39A244CFA5CF0754A775EA61 SHA-1: 0x788F73F5FDF460650379FCC31E9DFE84FD1A97D7 |
(not available) |
| 16 | %System%\yes.jpg | 14,106 bytes | MD5: 0xDE43344B28B3A132DB47A5EC05C6B306 SHA-1: 0x681928D3DDFABED85EEFF0B618ECB10152428AB3 |
(not available) |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| mirc.exe | %System%\mirc.exe | 1,892,352 bytes |
| irsetup.exe | %Temp%\_ir_sf7_temp_0\irsetup.exe | 1,208,320 bytes |
| [filename of the sample #1] | [file and pathname of the sample #1] | 73,728 bytes |
| Module Name | Module Filename | Address Space Details |
| softwares.dll | %System%\softwares.dll | Process name: mirc.exe Process filename: %System%\mirc.exe Address space: 0x1960000 - 0x196A000 |
| uinput.dll | %System%\uinput.dll | Process name: mirc.exe Process filename: %System%\mirc.exe Address space: 0x63400000 - 0x63409000 |
 | Registry Modifications |
 | Other details |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2009 ThreatExpert. All rights reserved.