Results 1 to 4 of 4

Thread: Heads Up *IRC-BBOT* Trojan

  1. #1
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Boston, MA

    Heads Up *IRC-BBOT* Trojan

    Trojan Name Risk Assessment
    IRC-BBot Corporate User : Low
    Home User : Low

    Trojan Information
    Discovery Date: 07/29/2003
    Origin: Unknown
    Length: Varies
    Type: Trojan
    SubType: Remote Access
    Minimum DAT:: 4281
    Release Date
    Minimum Engine: 4.1.60
    Description Added: 07/29/2003
    Description Modified: 07/29/2003 5:21 PM (PT)

    Trojan Characteristics:
    McAfee users have been proactively detected from this threat since the release of the 4245 DAT files 6 months ago; provided the 4.2.40+ scan engine is used with program heuristics and scanning of compressed executables enabled.
    This is an IRC bot trojan. When run, it installs itself on the local system, contacts a remote IRC server, joins a specified channel, and awaits further instruction from an attacker. This bot contains a long list of strings to scan for various vulnerabilities. A new release of this bot was created to exploit the recent RPC Interface Buffer Overflow (7.17.03) vulnerability.

    When run, the trojan installs itself as a service:

    Name: ctrmons
    Display name: Office XP Alternative User Input features.
    Description: Monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

    Full details are found in the registry:

    The bot contains a keylogger, which captures typed keystrokes and Window titles to the file webcldt.dll in the WINDOWS SYSTEM (%SysDir%) directory.
    Other functionality includes:

    IRC functions (say, join, part, kick, etc)
    Executing console commands
    Retrieve system information (IP address, uptime, Windows version, CPU, RAM, etc)
    Reboot the system
    Initiate a Denial of Service attack
    Vulnerability scan (Web Server Folder Traversal vulnerability, WebDAV, weak username/password combinations on FTP and Windows shares, etc)
    Download/execute files

    *FROM http://vil.nai.com/vil/content/v_100517.htm*

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    OKAY.........this is a virus alert from an AV company..................If you are aware you will be subscribed to at least one of these.......I wonder if we really need to post them "verbatim".....only if we have any comments or observations, that might add to the cold hard facts?

    I guess you mean well, but you really are wasting space...............I suspect that people who read ANTI ONLINE are aware of the usual problems?


  3. #3
    Senior Member
    Join Date
    Feb 2002
    I think he's just following the examples set by the community. Every day or 2 I see at least one of the advisories. No one ever complained before, perhaps it is wasting space, but some one may find it usefull. Especially if they are searching AO for a specific unknown file or reg key that may be related to this post... Just my opinion...
    Ron Paul: Hope for America

  4. #4
    Join Date
    Jul 2003
    Not everyone knows alot about irc and I think Cybr1d posting the Irc trojan warning was a good idea and yes it may be taking up space but you never know when someone will come along and read this and think I didn't know about that so I should be out on the look out and hopefully subscribe to Antivirus warnings from their Vendor

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts