Found undocumented trojan

I recently came across a trojan, which is detected by common virus scanners, but not much documented. So I analysed it just a little.

Like many others it is located in the Windows directory (for example c:\winnt) and named svchost.exe (the real svchost.exe belongs to system32). It is set up to start with Windows.

These are its names according to jotti.org:

A-Squared  	
Found Win32.SuspectCrc!IK
AntiVir 	
Found TR/Downloader.Gen
ArcaVir 	
Found Trojan.Agent.Wo
Avast 	
Found Win32:Trojan-gen {Other}
AVG Antivirus 	
Found BackDoor.Agent.MEA
BitDefender 	
Found Backdoor.Agent.WO
ClamAV 	
Found Trojan.Agent-8319
CPsecure 	
Found nothing
Dr.Web 	
Found BackDoor.IRC.Spreader
F-Prot Antivirus 	
Found W32/IRCBot-based!Maximus (probable variant)
F-Secure Anti-Virus 	
Found Backdoor.Win32.Agent.wo
G DATA 	
Found Win32:Trojan-gen
Ikarus 	
Found Win32.SuspectCrc
Kaspersky Anti-Virus 	
Found Backdoor.Win32.Agent.wo
NOD32 	
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control 	
Found W32/Agent.CWBV
Panda Antivirus 	
Found Trj/Downloader.MDW
Sophos Antivirus 	
Found Mal/Generic-A
VirusBuster 	
Found nothing
VBA32 	
Found Backdoor.Win32.Agent.wo

The size is 86.016 bytes, MD5: 5ec89f1f189fc5af94aa9306d7df4b8b

What it does is this: It tries to connect to IRC.BENDOVER.BE (that server is no longer operational), then joins #spreader.crew (password: spreadmaster). In my case it used the name!id: oppqrrstc!oppqrrstc (probably generated individually). Then it stayed in the channel and did nothing more. It probably waited for a bot or real person to contact it with further instructions.

Any hints about this trojan or the creators (former owner of bendover.be? "spreader.crew"?) are appreciated.

Leave a Reply

You must be logged in to post a comment.