Heads Up*Trojan**Backdoor.IRC.Cirebot
Results 1 to 2 of 2

Thread: Heads Up*Trojan**Backdoor.IRC.Cirebot

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002

    Exclamation Heads Up*Trojan**Backdoor.IRC.Cirebot

    Hi Guys..
    As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher.
    I am already a Post Whore so I won't post every new virus/worm/trojan/threats.. or I would be booted from this board..

    For this one.. How well Patched is your WindBloze System.. sry Windoze

    Symantec Info Page


    This ones entry is due to its damage capability and Distribution Capability.

    Threat Assesment
    Wild:- Low
    Damage:- Medium
    Distribution:- Medium


    Ports: opens a remote shell on port 57005
    Target of infection: IP addresses starting with 4, 12, 24, 64, 65, 68, 128,165, 208, 211, 213,217,218, or 220.

    Number of infections: 0 - 49
    Number of sites: 0 - 2
    Geographical distribution: Low
    Threat containment: Easy
    Removal: Moderate
    Summary of Threat
    Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit.

    Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe.
    Signs that a network is being attacked: traffic on port 445 to sequential IP addresses.
    Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69.

    Technical Details
    Backdoor component:

    lolx.exe or dcomx.exe (26144 bytes) -- a backdoor trojan horse based on Sdbot.

    Like all IRC trojans, it connects to irc, joins a channel, and waits for commands. Its capabilities include the following:

    Using ICQ to send a notification message when the backdoor is started
    Downloading and executing files.
    Killing running processes.
    Dynamically updating the installed Trojan.
    Performing Denial of Service (DoS) attacks.
    Stealing CD keys.
    "Securing" the machine by removing network shares.
    Logging keystrokes.
    Attacking other systems using various exploits.

    Hacktool component:

    The tool consists of the following files:

    worm.exe (113507 bytes) -- an installer which creates


    You may want to read about the Security Bulliten And here from MS that relates to this.

    This threat is listed on the other AV Sites as:-
    None noted at this time.. 10:35hrs UTC August 3rd

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Thanks for the heads up I will pass this on to other people

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts