A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1038  by Evilcry
 Sat May 08, 2010 7:44 am
Hi,

Here a fresh (network activity still active) sample of Backdoor.Win32.IRCBot!IK
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. medium
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users. medium
Joins IRC Network: The executable connects to an IRC network, most probably functioning as a zombie in a botnet. high
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. medium
some specification on File System Modifications
1
%ProgramFiles%\infocard.exe
%Windir%\infocard.exe
2 %ProgramFiles%\mds.sys
%ProgramFiles%\mdt.sys
%Windir%\mds.sys
%Windir%\mdt.sys
3 %ProgramFiles%\winbrd.jpg
in attachment the sample with password: malware

Have a nice Day,
Giuseppe 'Evilcry' Bonfa'
Attachments
password: malware
(78.72 KiB) Downloaded 92 times
 #1040  by Evilcry
 Sat May 08, 2010 9:23 am
yes, this malware is not advanced but contains interesting pieces, could be that I'll write something on this.