Win32/IRCBot [Threat Name] go to Threat

Win32/IRCBot.OV [Threat Variant Name]

Category trojan
Size 19976 B
Aliases (Kaspersky)
  W32/IRCbot.worm.gen.virus (McAfee)
  Backdoor:Win32/Sdbot.gen (Microsoft)
  Backdoor.IRC.Bot (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %system%\­remote.exe

The trojan registers itself as a system service using the following name:

  • RpcRemote

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "%sysdir%\­remote.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "Windows Update" = "%sysdir%\­remote.exe"

This way the trojan ensures that the file is executed on every system start.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mousebm]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mousemm]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mousesync]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ssl]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wpa]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wupnp]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wudpcom]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­NetBT\­Parameters]
    • "SMBDeviceEnabled" = 0
Information stealing

The trojan collects the following information:

  • computer IP address
  • type of Internet connection
  • operating system version
  • computer name
  • user name
  • memory status

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. It tries to connect to remote machines to ports:

  • 5262

The IRC protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • open a specific URL address
  • uninstall itself
  • update itself to a newer version
  • open the CD/DVD drive
  • log off the current user
  • shut down/restart the computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.