91.113.89.62 (talk) No edit summary |
Ghirnatean (talk | contribs) Importing Wikidata short description: "Backdoor computer worm" (Shortdesc helper) |
||
(22 intermediate revisions by 19 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Backdoor computer worm}} |
|||
{{Unreferenced|date=May 2007}} |
|||
'''Backdoor.Win32.IRCBot''' (also known as '''W32/Checkout''' (McAfee), '''W32.Mubla''' (Symantec), '''W32/IRCBot-WB''' (Sophos), and '''Backdoor.Win32.IRCBot.aaq''' (Bydoon Center)<ref name ="microsoft">[http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FIRCbot Microsoft Encyclopedia Entry: Backdoor:Win32/IRCbot] Retrieved February 24, 2011</ref>) is a [[Backdoor (computing)|backdoor]] [[computer worm]] that is spread through [[MSN Messenger]] and [[Windows Live Messenger]]. Once [[Installation (computer programs)|installed]] on a [[personal computer|PC]], the worm copies itself into a Windows [[system folder]], creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic [[Booting|startup]].<ref name="Seattle">[http://seattletimes.nwsource.com/html/businesstechnology/2003107486_bizbriefs06.html Seattle Times: Worm pretends it's Windows program] Retrieved February 24, 2011</ref> In addition, it attempts to send itself to all MSN contacts by offering an attachment named 'photos.zip'. Executing this file will install the worm onto the local PC. The Win32.IRCBot worm provides a backdoor [[Server (computing)|server]] and allows a remote intruder to gain access and control over the computer via an [[Internet Relay Chat]] channel.<ref name="microsoft" /> This allows for confidential information to be transmitted to a [[Hacker (computer security)|hacker]]. |
|||
{{Orphan|date=October 2007}} |
|||
{{howto}} |
|||
'''Backdoor.Win32.IRCBot''' is a [[computer worm]]/[[Backdoor (computing)|backdoor]] that is spread through [[MSN Messenger]] and [[Windows Live Messenger]] by downloading photo album.zip from someone. It can be recognised because the person says one of the following: |
|||
Because of a lack of standard naming conventions and also because of common features, variants of Win32.IRCBot can often be confused with the [[Agobot]] and [[Spybot worm|Spybot]] family of worms. For example, [[Sophos]] lists Backdoor.Win32.IRCBot.ul, W32/Poebot-JT worm, and Win32/IRCBot.TS as aliases of the W32/Gaobot.worm.gen.e worm, a member of the Agobot family.<ref>[http://www.sophos.com/security/analyses/viruses-and-spyware/w32poebotjt.html Sophos W32/Poebot-JT Win32 Worm]</ref> |
|||
*Lmfao hey im sending my new photo album, Some bare funny pictures! |
|||
*lol my sister wants me to send you this photo album |
|||
*Hey i been doing photo album! Should see em loL! accept please mate :) |
|||
*HEY lol i've done a new photo album !:) Second ill find file and send you it. |
|||
*Hey wanna see my new photo album? |
|||
*looooooooooooooooooooooooooooooooooooooo!! :p |
|||
*OMG just accept please its only my photo album!! |
|||
*Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol... |
|||
*Hey just finished new photo album! :) might be a few nudes ;) lol... |
|||
*hey you got a photo album? anyways heres my new photo album :) accept k? |
|||
*hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol.. |
|||
*hey, is this really you? |
|||
*hey, looks as your image or ? |
|||
*foto???? |
|||
==See also== |
|||
Inside is a '.pif' file called photo album2007 or a '.scr' file called photos_2007. |
|||
* [[Internet Relay Chat]] |
|||
It connects you to one of the following IRC Servers: |
|||
* [[Comparison of Internet Relay Chat bots]] |
|||
*darkjester.xplosionirc.net |
|||
* [[Malware]] |
|||
*cc.xerhosts.net |
|||
* [[Botnet]] |
|||
*free8.bis:8080 |
|||
* [[Trojan horse (computing)]] |
|||
*john.free4people.net:80 |
|||
== References == |
|||
and posts a message: IMStart. which is an invitation to connect to the victims computer.when connected, the attacker can send the worm to more people and control the victims pc. However, there is a flaw: as [[MSN Messenger]] does not allow you to send whole files, instead of spreading, The victim will get a lot of dialogue boxes saying: "you cannot send a folder, please send one file at a time." Thefore you must have [[Windows Live Messenger]] to spread it. |
|||
{{reflist}} |
|||
⚫ | |||
NOTE: Upon downloading this virus: this virus then hides itself and begins downloading more viruses. if you contract this virus from MSN; an easy thing to do is turn off your cable box/modem (the one with the lights that say internet/receive/power/etc. and they are flashing) then run a few scans. if you say: go to school; leave the box on all day, when you get home, your computer will be GUARANTEED so slow it will aggravate you. |
|||
In April 2008, one variant has been delivering its virus payload as a file named "IMG00231[1].JPG-www.imageupload.com" from sites photogallery.gigacities.net and album.gigacities.net (See the McAfee Site Advisor post at [http://www.siteadvisor.com/sites/gigacities.net/postid?p=823036] ). The MSN Messenger message says "hey, is this your picture ?! h t t p://album.gigacities.net/email.php?=YOURe-mail@hotmail.com" [DO NOT FOLLOW THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING AND WANT TO HARVEST THIS FILE]. This link delivers the MSN virus / worm payload as an MS-DOS .com application (with Size 39,424 bytes and Size on disk: 40,960 bytes). As of 11 APR 2008, Symantec Enpoint Protection does NOT detect this version of the worm. |
|||
In November 2008, another variant has been spotted which directs victims to h t t p://www.hi5.eu.com/id.php?=email@example.com with the message "foto????" [DO NOT FOLLOW THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING AND WANT TO HARVEST THIS FILE]. |
|||
Also the following link could be seen by me: h t t p://msnvids.ohost.de/play.php?=email@example.com with the the message "haha". The site linked shows a flash like loading screen to the visitor and some links for installing the latest flash version. Additionally it tries to run an unsigned "Java_Plugin". After some time it says you would not have the latest flash version installed and asks you to download a install_flash_player.exe which is located at h t t p://www.freewebtown.com/flashplayers/install_flash_player.exe (49.714 Bytes). This file contains a trojan horse!!! [DO NOT FOLLOW THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING AND WANT TO HARVEST THIS FILE] |
|||
==External links== |
|||
* FixMyIM's ''[http://fixmyim.com/Category:IRCBot_variants IRCBot Variants]'' entry at [http://fixmyim.com FixMyIM] |
|||
* McAfee Site Advisor [http://www.siteadvisor.com/sites/gigacities.net/postid?p=823036] |
|||
* Post by blogger Alex [https://www.blogger.com/comment.g?blogID=11308999&postID=7470025591045129239&page=1] |
|||
⚫ | |||
{{malware-stub}} |
{{malware-stub}} |
Latest revision as of 12:06, 10 November 2021
Backdoor.Win32.IRCBot (also known as W32/Checkout (McAfee), W32.Mubla (Symantec), W32/IRCBot-WB (Sophos), and Backdoor.Win32.IRCBot.aaq (Bydoon Center)[1]) is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger. Once installed on a PC, the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic startup.[2] In addition, it attempts to send itself to all MSN contacts by offering an attachment named 'photos.zip'. Executing this file will install the worm onto the local PC. The Win32.IRCBot worm provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel.[1] This allows for confidential information to be transmitted to a hacker.
Because of a lack of standard naming conventions and also because of common features, variants of Win32.IRCBot can often be confused with the Agobot and Spybot family of worms. For example, Sophos lists Backdoor.Win32.IRCBot.ul, W32/Poebot-JT worm, and Win32/IRCBot.TS as aliases of the W32/Gaobot.worm.gen.e worm, a member of the Agobot family.[3]
See also
References
- ^ a b Microsoft Encyclopedia Entry: Backdoor:Win32/IRCbot Retrieved February 24, 2011
- ^ Seattle Times: Worm pretends it's Windows program Retrieved February 24, 2011
- ^ Sophos W32/Poebot-JT Win32 Worm