I recently came across a trojan, which is detected by common virus scanners, but not much documented. So I analysed it just a little.
Like many others it is located in the Windows directory (for example c:\winnt) and named svchost.exe (the real svchost.exe belongs to system32). It is set up to start with Windows.
These are its names according to jotti.org:
A-Squared
Found Win32.SuspectCrc!IK
AntiVir
Found TR/Downloader.Gen
ArcaVir
Found Trojan.Agent.Wo
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found BackDoor.Agent.MEA
BitDefender
Found Backdoor.Agent.WO
ClamAV
Found Trojan.Agent-8319
CPsecure
Found nothing
Dr.Web
Found BackDoor.IRC.Spreader
F-Prot Antivirus
Found W32/IRCBot-based!Maximus (probable variant)
F-Secure Anti-Virus
Found Backdoor.Win32.Agent.wo
G DATA
Found Win32:Trojan-gen
Ikarus
Found Win32.SuspectCrc
Kaspersky Anti-Virus
Found Backdoor.Win32.Agent.wo
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found W32/Agent.CWBV
Panda Antivirus
Found Trj/Downloader.MDW
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.Agent.wo |
The size is 86.016 bytes, MD5: 5ec89f1f189fc5af94aa9306d7df4b8b
What it does is this: It tries to connect to IRC.BENDOVER.BE (that server is no longer operational), then joins #spreader.crew (password: spreadmaster). In my case it used the name!id: oppqrrstc!oppqrrstc (probably generated individually). Then it stayed in the channel and did nothing more. It probably waited for a bot or real person to contact it with further instructions.
Any hints about this trojan or the creators (former owner of bendover.be? "spreader.crew"?) are appreciated.