Trojan Name Risk Assessment
IRC-BBot Corporate User : Low
Home User : Low



Trojan Information
Discovery Date: 07/29/2003
Origin: Unknown
Length: Varies
Type: Trojan
SubType: Remote Access
Minimum DAT:: 4281
Release Date
07/30/2003
Minimum Engine: 4.1.60
Description Added: 07/29/2003
Description Modified: 07/29/2003 5:21 PM (PT)



Trojan Characteristics:
McAfee users have been proactively detected from this threat since the release of the 4245 DAT files 6 months ago; provided the 4.2.40+ scan engine is used with program heuristics and scanning of compressed executables enabled.
This is an IRC bot trojan. When run, it installs itself on the local system, contacts a remote IRC server, joins a specified channel, and awaits further instruction from an attacker. This bot contains a long list of strings to scan for various vulnerabilities. A new release of this bot was created to exploit the recent RPC Interface Buffer Overflow (7.17.03) vulnerability.

When run, the trojan installs itself as a service:

Name: ctrmons
Display name: Office XP Alternative User Input features.
Description: Monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Full details are found in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctrmons
The bot contains a keylogger, which captures typed keystrokes and Window titles to the file webcldt.dll in the WINDOWS SYSTEM (%SysDir%) directory.
Other functionality includes:

IRC functions (say, join, part, kick, etc)
Executing console commands
Retrieve system information (IP address, uptime, Windows version, CPU, RAM, etc)
Reboot the system
Initiate a Denial of Service attack
Vulnerability scan (Web Server Folder Traversal vulnerability, WebDAV, weak username/password combinations on FTP and Windows shares, etc)
Download/execute files

*FROM http://vil.nai.com/vil/content/v_100517.htm*