PDA

View Full Version : Well,just one virus for today.:)


caleb_yee
24-08-03, 16:24
Backdoor.IRC.RPCBot is a Backdoor Trojan Horse that gives its creator full control of your computer. The Trojan's creator can also instruct the Trojan to use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself.

Once it's excuted....u got this...The files associated with Backdoor.IRC.RPCBot are:
Click.exe (32,768), which is a Hacktool
SFind.exe (266,752), which is a Hacktool
Wmpx.exe (43,383), which is a Hacktool.DoS
WinOLE.exe (572,928) , which is a Trojan Horse

The following components are detected as Backdoor.IRC.RPCBot:
Deploy.bat (274)
Unrar.bat (169)
Wx11.bat (109)
Wx12.bat (194)
Start.dll (6,153), which is an IRC script file
Jesus.dll (4,254), which is an IRC script file
LucomServer.dll (802), which is an IRC script file
Msoft.dll (206), which is an IRC script file
Users.dll (75,017), which contains many IRC nicknames
Reg.reg (773)
Service.txt (176)
Wx12.exe (19,618), which the Trojan uses to exploit the DCOM RPC vulnerability
Bot.rar, which is a rar file that contains all the components of the Trojan

The following components are clean utilities that the Trojan uses. Therefore, Symantec antivirus products do not detect them. If the threat infected your computer, you can manually delete them if desired:
Bnc.cfg (76)
Cygwin1.dll (971,080)
Drvx.dll (2,853)
Clear.exe (28,672)
CRC.exe (24,096)
Dhcpp.exe (69,632)
Events.exe (134,656)
Nctl.exe (569,344)
Pslist.exe (49,152)
Q019204.exe (21,584)
Service.exe (63,488)
UnRAR.exe (194,048)

When Backdoor.IRC.RPCBot runs, it does the following:

Creates the folder, C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS, and copies Bot.rar into this folder.

Runs WinOLE.exe as a service. WinOLE.exe is a patched mIRC client program, and hooks the IRC file extensions in HKEY_LOCAL_MACHIN\Software\Classes, which call WinOLE.exe when chat files are opened.

Runs the file, Dhcpp.exe, which is a TFTP server.

Runs the file, Nctl.exe, which is an FTP server.

Runs the file, Events.exe, which is an IRC proxying server.

Sets the following values:

"BaseDirectory"="C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS"
"TftpPort"="00000045"
"Hide"="00000001"
"WinSize"="00000000"
"Negociate"="00000000"
"DirText"="00000000"
"ShowProgressBar"="00000000"
"Timeout"="00000003"
"MaxRetransmit"="00000006"
"SecurityLevel"="00000000"
"UnixStrings"="00000000"
"LocalIP"=""
"Beep"="00000000"
"VirtualRoot"="00000000"
"Services"="00000003"
"TftpLogFile"=""
"SaveSyslogFile"=""

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\TFTPD32

Sets the value:

"DisableWebDAV"="00000001"

in the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W3SVC\Parameters

Sets the values:

"EnableDCOM"="N"
"EnableRemoteConnect"="N"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

Connects to specified IRC servers and joins a channel to listen for commands from the Trojan's creator.

One such command is to exploit the DCOM RPC vulnerability: The Trojan connects to some randomly generated IP addresses to find computers that are listening at TCP port 135. Once the computer is found, it sends specially formed data, which exploits the DCOM RPC vulnerability, to that computer.

If the Trojan is successful, it may create a folder:

C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS

and TFTP its components, bot.rar, unrar.bat, and unrar.exe, to the computer, and then runs itself there.

Removal instrutions are here...tricky too
1.Update the virus definitions.
2.Restart the computer in Safe mode or VGA mode.
3.Run a full system scan and delete all the files detected as viral. Delete all the files in the following folder, and then remove the folder:

4.C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS

5.Reverse the changes that were made to the registry.

More details..refer to Removal Details (http://www.tombraiderforums.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=9;t=003986)

ALright,i gotta see that doctor today....