SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


AryaN IRC Botnet discovered in the wild (April 5, 2012)



Description


The SonicWALL Threat Research team discovered a new IRC bot Trojan in the wild with DDoS (Distributed Denial Of Service) functionality. This Trojan also has the ability to spread through USB removeable drives and update itself over the internet.

Once run, the Trojan injects code into explorer.exe and exits. The injected code contains an IRC bot [Detected as GAV: Agent.ADC (Trojan)]. The injected code deletes the original malware file.

The Trojan makes the following DNS requests:

The Trojan determines its IP address by making a request to wipmania.com. It then proceeds to join channel #!y! on a private IRC server.

The Bots idle on IRC awaiting further instructions from its author. They are given names according to Bot type, geographical location, operating system version and CPU architecture as seen in the screenshot below:

The Trojan contains the ability to spread through USB removeable drives. It also contains UDP flooding functionality for DDoS (distributed denial of service attacks):

Upon further analysis we found that the Trojan also contains the ability to update itself by downloading a new version from a remote webserver.

The Trojan adds the following file to the file system:

  • C:\Documents and Settings\{USER}\Application Data\svhost.exe [Detected as GAV: Agent.ADC (Trojan)]
The Trojan adds the following keys to the windows registry to enable startup after system reboot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhost.exe "C:\Documents and Settings\{USER}\Application Data\svhost.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svhost.exe "C:\Documents and Settings\{USER}\Application Data\svhost.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run egregregerfwde "C:\Documents and Settings\{USER}\Application Data\svhost.exe"
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: IRCbot.AYN (Trojan)
  • GAV: Agent.ADC (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.5 | S2MSW03