An IRC-based Trojan allows a malicious user to gain access to a compromised/infected computer without a user's knowledge, according to Symantec.

Backdoor.Tkbot is detected by current definitions as IRC Trojan. It has the capability to perform the following nefarious activities:

  • Gather user/system information
  • Upload a file to the victim's system
  • Download a file from the victim's system
  • Execute any application on the victim's system
  • Attempt to gain root access to another remote computer
  • Use the victim's system as a drone in a Distributed Denial of Service (DDoS) attack against a remote system.
  • Scan for other vulnerable systems to be compromised.
  • Carry out port scans on the systems to be compromised to determine what services they are running.

    • Symantec is presently giving the Trojan an overall low threat assessment due to the small number of infections. For technical details, visit this Symantec Web page.

    Virus Dropper Parite Hard to Detect

    Parite consists of a dropper, which is written in Assembler, and the virus itself, written in Borland C++, according to F-Secure.

    When an infected file is launched, the control is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure. The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer and also in shared resources of a local network, and infects them. The virus doesn't manifest its presence in any way.

    The structure of infected file looks like the following:

    Host file
    Virus dropper - drops "main" to TEMP dir and executes it.
    main--searches for files and infects them.

    Although the company has noted the presence of Parite, it has not issued an alert. To view F-Secure's virus glossary, go here.

    Week in Review

    This week saw the presence of a Trojan called Sadhound and a worm known as Blackout.

    Sadhound is a dangerous Trojan because it connects to a certain IRC chat channel in order to allow hackers to access the computer. This malicious code can either reach computers through an infected file, or dropped by another Trojan called Juntador. In the latter case, it is very easy to identify Sadhound since it displays a text in a window belonging to the program Notepad.

    Sadhound also creates a file called MSWINSOCK.EXE in the Windows system directory, and another in the temporary directory called F300.TXT, which contains the message that this virus sometimes displays. This Trojan also creates an entry in the Windows Registry in order to ensure that it is run every time the computer is started up.

    The Blackout worm mainly spreads through IRC chat channels, using the DCC command, in a file called README.TXT, which contains its infection code. The effects of Blackout are:

  • It disables the shut down option in the Windows Start button menu.
  • It infects Word documents when they are opened.
  • Every time a file is run on the infected computer, Blackout compares the time on the system clock with a number select at random between 1 and 24. If the hour and this number coincide, it displays a message on screen.

    • Blackout also creates the following files in the root directory of the hard drive: BLACKOUT.VBS, BLACKOUT.VXD and README.TXT. It will also create a new file called SCRIPT.INI, which it uses to spread, if the computer has the IRC chat program installed.

    Similarly, it creates the several keys in the Windows Registry in order to carry out its actions. When the user opens an infected Word document, Blackout also modifies an existing entry to prevent the dialog box that allows users to enable or disable macros from being displayed. For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

    Compiled by Esther Shein