IRC/Cloner [Threat Name] go to Threat

IRC/Cloner.CA [Threat Variant Name]

Category trojan
Size 983116 B
Aliases Backdoor:IRC/Zapchast.BF (Microsoft)
  Trojan.ADH (Symantec)
  IRC:Zapchast-F (Avast)
  TR/IRC.Zapchast.NAF (Avira)
  Trojan.IRCBot.ABN (BitDefender)
Short description

IRC/Cloner.CA installs a backdoor that can be controlled remotely. The file is run-time compressed using RAR SFX .

Installation

When executed, the trojan creates the following files:

  • C:\­Windows\­Temp\­Cookies\­aliases.ini (11 B )
  • C:\­Windows\­Temp\­Cookies\­away.txt (1086 B)
  • C:\­Windows\­Temp\­Cookies\­ch (0 B)
  • C:\­Windows\­Temp\­Cookies\­control.ini (61 B)
  • C:\­Windows\­Temp\­Cookies\­daemon.exe (1711616 B)
  • C:\­Windows\­Temp\­Cookies\­grup (338 B)
  • C:\­Windows\­Temp\­Cookies\­harin.exe (21504 B)
  • C:\­Windows\­Temp\­Cookies\­harout.exe (21504 B)
  • C:\­Windows\­Temp\­Cookies\­humulus.reg (1246 B, IRC/Cloner.CA)
  • C:\­Windows\­Temp\­Cookies\­ident.txt (6112 B)
  • C:\­Windows\­Temp\­Cookies\­jovial.bat (187 B, IRC/Cloner.CA)
  • C:\­Windows\­Temp\­Cookies\­mirc.ini (3144 B)
  • C:\­Windows\­Temp\­Cookies\­realname.txt (71546 B)
  • C:\­Windows\­Temp\­Cookies\­remote.ini (3013 B )
  • C:\­Windows\­Temp\­Cookies\­servers.ini (478 B)
  • C:\­Windows\­Temp\­Cookies\­starblind.mrc (1272 B, IRC/Cloner.CA)
  • C:\­Windows\­Temp\­Cookies\­stemb.ico (5694 B)
  • C:\­Windows\­Temp\­Cookies\­stevar.vbs (72 B)
  • C:\­Windows\­Temp\­Cookies\­trupero.mrc (14037 B, IRC/Cloner.CA)
  • C:\­Windows\­Temp\­Cookies\­users.ini (139 B)

The trojan creates the following folders:

  • C:\­Windows\­Temp\­Cookies\­download\­
  • C:\­Windows\­Temp\­Cookies\­logs\­
  • C:\­Windows\­Temp\­Cookies\­sounds\­

The trojan runs the following processes:

  • C:\­Windows\­Temp\­Cookies\­jovial.bat
  • C:\­Windows\­Temp\­Cookies\­daemon.exe
  • C:\­Windows\­Temp\­Cookies\­stevar.vbs

The trojan executes the following command:

  • regedit /s C:\­Windows\­Temp\­Cookies\­humulus.reg

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sounds" = "C:\­Windows\­Temp\­Cookies\­daemon.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sounds\­Parameters]
    • "Application" = "C:\­Windows\­Temp\­Cookies\­daemon.exe"
    • "AppDirectory" = "C:\­Windows\­Temp\­Cookies\­daemon.exe"
  • [HKEY_CURRENT_USER\­Software\­mIRC\­Channels]
  • [HKEY_CURRENT_USER\­Software\­mIRC\­License]
    • "(Default)" = "3546-331847"
  • [HKEY_CURRENT_USER\­Software\­mIRC\­LockOptions]
    • "(Default)" = "0,4096"
  • [HKEY_CURRENT_USER\­Software\­mIRC\­UserName]
    • "(Default)" = "PHTeam"
Other information

IRC/Cloner.CA installs a backdoor that can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan connects to the following addresses:

  • irc.thisisfreedom.net:6667
  • irc.thisisfreedom.net:6669
  • my-station.us:6667
  • iclimb.com:6669
  • 82.76.255.62:6661
  • 94.125.182.255:6665
  • 194.109.20.90:6668
  • 208.83.20.130:6667
  • 95.141.29.22:6664

The IRC protocol is used in the communication.


It can execute the following operations:

  • run executable files
  • execute shell commands

The trojan displays a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.