A forum for reverse engineering, OS internals and malware analysis 

Backdoor:Win32/IRCbot with anti MSE part

Forum for analysis and discussion about malware.

Re: some worm?

 #4301  by EP_X0FF
 Thu Jan 06, 2011 1:22 pm
Generic Backdoor IRCBot targeting Yahoo! Messenger.
Contains code to shutdown and disable Microsoft Security Essentials.

Runs through
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATL YahooBuddyMain Yahoo! Messenger Yahoo! Messenger with Voice Send an Instant Message IMClass Send Message to Group YIMInputWindow &Send YahooBuddyMain Yahoo! Messenger Yahoo! Messenger with Voice Send an Instant Message IMClass Send Message to Group YIMInputWindow &Send [1]: [2]: [3]: [4]: [5]: [6]: [7]: [8]: [9]: [10]: [11]: [12]: [13]: [14]: %s. %s. %s %s <%d> %s %s <%d> %s %s %s!%s@%s. %s %s %s. %s. Mtr Dws ATL YahooBuddyMain Yahoo! Messenger Yahoo! Messenger with Voice Send an Instant Message IMClass Send Message to Group YIMInputWindow &Send Nvidia Drive Mon PID . D
netsh firewall add allowedprogram 1.exe 1 ENABLE config MsMpSvc start= disabled sc config wuauserv start= disabled msseces.exe net stop MsMpSvc net stop wuauserv explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List %s:*:Enabled:%s %s\%s %programfiles% %public% user32.dll MessageBoxA %i.%i.%i.%i ATL YahooBuddyMain Yahoo! Messenger Yahoo! Messenger with Voice Send an Instant Message IMClass Send Message to Group YIMInputWindow &Send Ping Timeout? (%d-%d)%d/%d
Error %s- UNK- VIS- 2K3- XP- 2K- ME- 98- NT- 95- ] %i | D P I Message Session S TskMultiChatForm.UnicodeClass T M MSNHiddenWindowClass A _Oscar_StatusNotify %.2d [ #%s ATL YahooBuddyMain Yahoo! Messenger Yahoo! Messenger with Voice Send an Instant Message IMClass Send Message to Group YIMInputWindow &Send
 Return to “Malware”