I recently came across a trojan, which is detected by common virus scanners, but not much documented. So I analysed it just a little.
Like many others it is located in the Windows directory (for example c:\winnt) and named svchost.exe
(the real svchost.exe
belongs to system32
). It is set up to start with Windows.
These are its names according to jotti.org:
A-Squared Found Win32.SuspectCrc!IK AntiVir Found TR/Downloader.Gen ArcaVir Found Trojan.Agent.Wo Avast Found Win32:Trojan-gen {Other} AVG Antivirus Found BackDoor.Agent.MEA BitDefender Found Backdoor.Agent.WO ClamAV Found Trojan.Agent-8319 CPsecure Found nothing Dr.Web Found BackDoor.IRC.Spreader F-Prot Antivirus Found W32/IRCBot-based!Maximus (probable variant) F-Secure Anti-Virus Found Backdoor.Win32.Agent.wo G DATA Found Win32:Trojan-gen Ikarus Found Win32.SuspectCrc Kaspersky Anti-Virus Found Backdoor.Win32.Agent.wo NOD32 Found probably unknown NewHeur_PE (probable variant) Norman Virus Control Found W32/Agent.CWBV Panda Antivirus Found Trj/Downloader.MDW Sophos Antivirus Found Mal/Generic-A VirusBuster Found nothing VBA32 Found Backdoor.Win32.Agent.wo |
The size is 86.016 bytes, MD5: 5ec89f1f189fc5af94aa9306d7df4b8b
What it does is this: It tries to connect to IRC.BENDOVER.BE (that server is no longer operational), then joins #spreader.crew
(password: spreadmaster). In my case it used the name!id: oppqrrstc!oppqrrstc
(probably generated individually). Then it stayed in the channel and did nothing more. It probably waited for a bot or real person to contact it with further instructions.
Any hints about this trojan or the creators (former owner of bendover.be? "spreader.crew"?) are appreciated.