SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  IRCBot.AMK
IRCBot.AMK is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. IRCBot.AMK is compressed using the executable packer and its file size is 32,256 bytes. It uses the network connection:
  • Connects to "irc.accesox.net" on port 5540 (TCP).
  • Sends data stream (14 bytes) to remote address "irc.accesox.net", port 5540.
  • Connects to IRC Server.
  • IRC: Uses nickname pLagUe{USA}86138.
  • IRC: Uses username SkuZ.
  • IRC: Sets the usermode for user pLagUe{USA}86138 to -ix.
  • IRC: Joins channel ##verga##.
  • IRC: Talks in channel ##verga##.
  • IRC: Sets the channel mode for channel ##verga## to -ix.

IRCBot.AMK drops the following files on the hard drive:

  • C:\WINDOWS\raidhost.exe (32256 bytes)
  • C:\WINDOWS\system32\YoItzVlad.tmp (5 bytes)
It also changes Windows registry:
  • Creates value "raidhost"="raidhost.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
It creates the following mutex to ensure only one instance is running: ooxxoxasdSkuZZxoasdxxoo. It also is executed every time Windows starts.


Relevant Information