Backdoor.IRC.Sticy.A

SYMPTOMS:

On Windows NT/2000/XP: Task Manager reveals TWO processes named "taskmgr.exe" (one is the actual Task Manager and the other is a hidden instance of mIRC).

TECHNICAL DESCRIPTION:

This IRC backdoor has been sent to many addresses in email messages like the following:


Reply-to:
From: "The Company Of BitDefender"
Subject: BitDefender Company
Date: Tue, 18 Jan 2005 05:30:14 -0800

Hello,
We send you the best antivirus BitDefender ... please copy the software and have more security
on your computer;
Please copy this product from http://www.[...].ro/ and send us an email at
support@bitdefender.com and we can give you your cdkey product to register it!

Download Link1 : http://www.[...].ro/Film.exe
Download Link2 : http://www.[...].ro/Poze.exe

Greetings Tnx to : John Myle , Goordon Freeman & Bitman Forgivn


Film.exe is a WinRAR self-extract archive; when run, it extracts mIRC (a popular IRC client), the evil mIRC scripts and two DLL's (one for encryption/decryption and one for process/window hiding) in C:\WINDOWS\inf\digital, runs the extracted file taskmgr.exe (mIRC) and hides its window and its process (from Windows 9x Task Manager).

The scripts cause mIRC to connect to Undernet (with a nick chosen randomly from a list in nick.db and a hardcoded name that advertises a website) and join two channels; it accepts commands from an authenticated user; these commands include:

- setting voice/op/ban rights for other users on specified channels;
- sending messages to other uses;
- even a "help" command that reports the accepted commands.

The script also modifies win.ini to run the perverted mIRC at startup.

Most of the nicks in the list are Romanian. Texts in the script are in Romanian. The people on the channels joined by the infected users are Romanian. The origin is obvious.

Removal instructions:

1) Close ALL mIRC instances
2) Run the removal tool
3) Reboot windows

ANALYZED BY:

BitDefender Virus Research Lab