Backdoor.IRC.Aladinz.G

Taken From: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html



Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.

Also Known As: Worm.Win32.Randon.o [Kaspersky]
    
Type: Trojan Horse

Infection Length: varies
    
Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX

Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:

   1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
          * sample.bin (detected as Backdoor.Trojan)
          * DivXinstall.bat (detected as Trojan Horse)
          * DecodeDivX.exe (detected as Hacktool.DoS)
          * nacs.exe (detected as Hacktool)
          * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
          * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
          * DelDivX.exe (Process viewer. This utility is not viral by itself.)
          * Divx.exe (Remote execution utility. It is not viral by itself)
          * helptoo.txt (Text file that includes username.It is not malicious itself. )
          * helpuse.txt (Text file that includes username and password. It is not malicious itself. )
          * DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )

            Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   2. Adds the value:

      "DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the Trojan starts when you start or restart Windows.

   3. Adds the values:
          * "DisplayName"="mIRC"
          * "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"

            to the registry key:

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Uninstall\mIRC

            Note: If the mIRC subkey does not exist, the Trojan will create it.
   4. Adds the values:

      "(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"

      to the following registry keys:
          * HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command

            so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.

   5. Creates the following subkeys:
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec

   6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.

   7. By default, the Trojan allows the hacker to perform any of the following actions:
          * Download and execute files.
          * Perform Denial of Service (DoS) attacks against predetermined targets.
          * Attempt to compromise other machines through open shares or weak passwords.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows