July 31st, 2003, 07:38 PM
Heads Up *IRC-BBOT* Trojan
Trojan Name Risk Assessment
IRC-BBot Corporate User : Low
Home User : Low
Discovery Date: 07/29/2003
SubType: Remote Access
Minimum DAT:: 4281
Minimum Engine: 4.1.60
Description Added: 07/29/2003
Description Modified: 07/29/2003 5:21 PM (PT)
McAfee users have been proactively detected from this threat since the release of the 4245 DAT files 6 months ago; provided the 4.2.40+ scan engine is used with program heuristics and scanning of compressed executables enabled.
This is an IRC bot trojan. When run, it installs itself on the local system, contacts a remote IRC server, joins a specified channel, and awaits further instruction from an attacker. This bot contains a long list of strings to scan for various vulnerabilities. A new release of this bot was created to exploit the recent RPC Interface Buffer Overflow (7.17.03) vulnerability.
When run, the trojan installs itself as a service:
Display name: Office XP Alternative User Input features.
Description: Monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
Full details are found in the registry:
The bot contains a keylogger, which captures typed keystrokes and Window titles to the file webcldt.dll in the WINDOWS SYSTEM (%SysDir%) directory.
Other functionality includes:
IRC functions (say, join, part, kick, etc)
Executing console commands
Retrieve system information (IP address, uptime, Windows version, CPU, RAM, etc)
Reboot the system
Initiate a Denial of Service attack
Vulnerability scan (Web Server Folder Traversal vulnerability, WebDAV, weak username/password combinations on FTP and Windows shares, etc)
July 31st, 2003, 08:10 PM
OKAY.........this is a virus alert from an AV company..................If you are aware you will be subscribed to at least one of these.......I wonder if we really need to post them "verbatim".....only if we have any comments or observations, that might add to the cold hard facts?
I guess you mean well, but you really are wasting space...............I suspect that people who read ANTI ONLINE are aware of the usual problems?
July 31st, 2003, 09:22 PM
I think he's just following the examples set by the community. Every day or 2 I see at least one of the advisories. No one ever complained before, perhaps it is wasting space, but some one may find it usefull. Especially if they are searching AO for a specific unknown file or reg key that may be related to this post... Just my opinion...
July 31st, 2003, 09:49 PM
Not everyone knows alot about irc and I think Cybr1d posting the Irc trojan warning was a good idea and yes it may be taking up space but you never know when someone will come along and read this and think I didn't know about that so I should be out on the look out and hopefully subscribe to Antivirus warnings from their Vendor