Taken From: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows