Win32/IRCBot [Threat Name] go to Threat

Win32/IRCBot.AGP [Threat Variant Name]

Category trojan
Size 64000 B
Detection created Jun 02, 2008
Detection database version 3151
Aliases Backdoor.Win32.IRCBot.fnn (Kaspersky)
  MultiDropper-RY (McAfee)
  Trojan.Injector.AF (BitDefender)
Short description

Win32/IRCBot.AGP is an IRC controlled backdoor .

Installation

When executed, the backdoor copies itself into the %windir% folder using the following name:

  • winrofl32.exe (64000 B)

In order to be executed on every system start, the backdoor sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows UDP Control Center" = "winrofl32.exe"

The backdoor displays a fake error message:

Spreading via IM networks

The backdoor sends links to AIM (AOL Instant Messenger), AOL Triton, MSN Messenger users.


If the link is clicked a copy of the backdoor is downloaded.


Other information

Win32/IRCBot.AGP is an IRC controlled backdoor .


The backdoor acquires data and commands from a remote computer or the Internet.


The backdoor connects to the following address:

  • zenaz.dalnetirc.net

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • spread via IM networks

The backdoor may create copies of itself using the following filenames:

  • %windir%\­winrofl32.exe_ (64000 B)

Please enable Javascript to ensure correct displaying of this content and refresh this page.