Malware descriptions

You can teach an old worm new tricks

We’re seeing a lot of reports about a new version of Backdoor.Win32.IRCBot.acd. This backdoor is a fairly limited IRCBot with spy capabilities combined with MSN-Worm functionality.

Depending on the locality of the machine the backdoor sends out messages in different languages. This functionality is similar to that seen in the recent widespread AutoIT MSN-Worms, which is mostly downloaded by Backdoor.Win32.MSNMaker variants.
The interesting touch in this case is that the backdoor tries to transfer a ZIP file called “myalbum2007.zip” instead of sending out an URL to a malicious file.

This is not entirely new, for instance the IM-Worm.Win32.Sumom family back from 2005 did the same. However it’s been quite a while since we last saw this type of propagation routine.

There are pros and cons to each type of propagation. Perhaps some cyber criminals think that websites containing malicious code get taken offline too fast for their liking. It’ll be interesting to see if sending files instead of URLs will become a proven method for MSN-Worms to spread.

You can teach an old worm new tricks

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox