Backdoor.Win32.IRCBot

From Wikipedia, the free encyclopedia

This article does not cite any references or sources. (May 2007)
Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed.

This article is orphaned as few or no other articles link to it.
Please help introduce links in articles on related topics. (October 2007)

This article or section contains instructions, advice, or how-to content.
The purpose of Wikipedia is to present facts, not to teach subject matter.
Please help improve this article by removing or rewriting the how-to content, which may qualify for a move to http://www.wikihow.com/ or http://howto.wikia.com/.

Backdoor.Win32.IRCBot is a computer worm/backdoor that is spread through MSN Messenger and Windows Live Messenger by downloading photo album.zip from someone. It can be recognised because the person says one of the following:

Lmfao hey im sending my new photo album, Some bare funny pictures!
lol my sister wants me to send you this photo album
Hey i been doing photo album! Should see em loL! accept please mate :)
HEY lol i've done a new photo album !:) Second ill find file and send you it.
Hey wanna see my new photo album?
looooooooooooooooooooooooooooooooooooooo!! :p
OMG just accept please its only my photo album!!
Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
Hey just finished new photo album! :) might be a few nudes ;) lol...
hey you got a photo album? anyways heres my new photo album :) accept k?
hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
hey, is this really you?
hey, looks as your image or ?

Inside is a '.pif' file called photo album2007 or a '.scr' file called photos_2007. It connects you to one of the following IRC Servers:

darkjester.xplosionirc.net
cc.xerhosts.net
free8.bis:8080
john.free4people.net:80

and posts a message: IMStart. which is an invitation to connect to the victims computer.when connected, the attacker can send the worm to more people and control the victims pc. However, there is a flaw: as MSN Messenger does not allow you to send whole files, instead of spreading, The victim will get a lot of dialogue boxes saying: "you cannot send a folder, please send one file at a time." Thefore you must have Windows Live Messenger to spread it.

NOTE: Upon downloading this virus: this virus then hides itself and begins downloading more viruses. if you contract this virus from MSN; an easy thing to do is turn off your cable box/modem (the one with the lights that say internet/receive/power/etc. and they are flashing) then run a few scans. if you say: go to school; leave the box on all day, when you get home, your computer will be GUARANTEED so slow it will aggravate you.

Recently (In April 2008), one variant has been delivering its virus payload as a file named "IMG00231[1].JPG-www.imageupload.com" from sites photogallery.gigacities.net and album.gigacities.net (See the McAfee Site Advisor post at [1] ). The MSN Messenger message says "hey, is this your picture ?! h t t p://album.gigacities.net/email.php?=YOURe-mail@hotmail.com" [DO NOT FOLLOW THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING AND WANT TO HARVEST THIS FILE]. This link delivers the MSN virus / worm payload as an MS-DOS .com application (with Size 39,424 bytes and Size on disk: 40,960 bytes). As of 11 APR 2008, Symantec Enpoint Protection does NOT detect this version of the worm.