Malware descriptions

You can teach an old worm new tricks

We’re seeing a lot of reports about a new version of Backdoor.Win32.IRCBot.acd. This backdoor is a fairly limited IRCBot with spy capabilities combined with MSN-Worm functionality.

Depending on the locality of the machine the backdoor sends out messages in different languages. This functionality is similar to that seen in the recent widespread AutoIT MSN-Worms, which is mostly downloaded by Backdoor.Win32.MSNMaker variants.
The interesting touch in this case is that the backdoor tries to transfer a ZIP file called “myalbum2007.zip” instead of sending out an URL to a malicious file.

This is not entirely new, for instance the IM-Worm.Win32.Sumom family back from 2005 did the same. However it’s been quite a while since we last saw this type of propagation routine.

There are pros and cons to each type of propagation. Perhaps some cyber criminals think that websites containing malicious code get taken offline too fast for their liking. It’ll be interesting to see if sending files instead of URLs will become a proven method for MSN-Worms to spread.

You can teach an old worm new tricks

Your email address will not be published. Required fields are marked *

 

Reports

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox