Malware and threats description

Computer threads and malicious software description

IRCBot.GNS

2013-02-10

Aliases: Backdoor:W32/IRCBot.GNS; Backdoor.Win32.IRCBot.dig; Backdoor:W32/IRCBot.GNS; Worm/IrcBot.96950; Worm:Win32/Pushbot.EA

Category: Malware

Parameters: Size: 96950; Type: Backdoor; Platform: W32

Short description

W32/IRCBot.GNS is a Trojan horse with a backdoor inside.

Backdoors are programs which allows of remote hacker to access the infected system and to executes commands.

Long description

W32/IRCBot.GNS comes in the system as dropped by other malware.

When started it creates own copy in:

windir%\mservice.exe

Note: %windir% is Windows folder, usually C:\Windows\

It creates entry point in the registry.

The malware tries to connect with the following IRC server and to join in the channel #pBot:

http.xn--mg-kka.com:[removed]/TCP

The The presence of outgoing traffic to that address is the presence of symptoms of infection.

It creates the following records in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MSN = C:\Windows\mservice.exe

Creates also the following file:

%windir%/mservice.exe

W32/IRCBot.GNS activities are:

  • DDoS to certain IP;
  • downloads and starts files;
  • spreading by MSN and AIM protocols;
  • sets IE to remember passwords on the infected system;
  • self-updating