IRC Bot masquerading as popular applications
The Dell SonicWall Threats Research team has observed a recent wave of IRC bots posing as legitimate applications. The bot installer may arrive with file names such as, chrome.exe or facebook-images.exe on the victim machine. It attempts to masquerade itself as Google Chrome by using the following icon and file properties:
Upon execution the bot creates a copy of itself into the following directories:
- %WINDIR%tempfacebook-images.exe [Detected as GAV: Zusy.G (Trojan)]
- %TEMP%adbreader.exe [Detected as GAV: Zusy.G (Trojan)]
In order to start after reboot the bot adds the following keys to the registry:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] "%TEMP%adbreader.exe"
- HKLMsoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] "%TEMP%adbreader.exe"
It also executes the following command to allow itself through the windows firewall:
- %SYSTEM% netsh.exe [netsh firewall add allowedprogram "%TEMP%adbreader.exe" "Adobe Driver Update" ENABLE]
It connects to a remote IRC based Command and Control server and waits for further instructions:
It then joins an IRC channel named #biz:
During our analysis, we noticed the Command and Control server sending instructions to download an additional malware component:
The downloaded malware is copied into the following directory:
- %WINDIR%mdm.exe [Detected as GAV: Injector.AOED (Trojan)]
The following registry keys were added by the bot to persist infection upon system reboot:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] "%WINDIR%mdm.exe"
- HKLMSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] "%WINDIR%mdm.exe"
It also sent an instruction to create another component which uses the Pidgin icon and is copied into the following directory:
- %TEMP%eraseme_*random digits*.exe [Detected as GAV: MalAgent.G_3527 (Trojan)]
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Injector.AOED (Trojan)
- GAV: Zusy.G (Trojan)
- GAV: MalAgent.G_3527(Trojan)