Home Malware Programs Backdoors Backdoor.Win32.IRCBot.sgu

Backdoor.Win32.IRCBot.sgu

Posted: August 10, 2011

Backdoor.Win32.IRCBot.sgu is a backdoor Trojan as well as a potential dropper Trojan that creates serious security holes in your PC, to allow remote attackers to exert control over the system. SpywareRemove.com malware analysts have found that Backdoor.Win32.IRCBot.sgu uses the cowardly tactic of hiding its attacks by contaminating natural system processes, and for this reason, it may be difficult to detect Backdoor.Win32.IRCBot.sgu without the aid of a good anti-malware program. Like all Trojans from the IRCBot family, Backdoor.Win32.IRCBot.sgu can contact remote IRC servers for a variety of functions, including forcing your PC into illegal acts or receiving instructions to install other malicious applications.

Eyeballing Backdoor.Win32.IRCBot.sgu's Unauthorized Extension of Your System Processes

Although the IRCBot family that Backdoor.Win32.IRCBot.sgu is based on is relatively old by Trojan standards, Backdoor.Win32.IRCBot.sgu itself is a recent variant as of August 2011. Anti-virus and other security applications may be unable to detect or delete Backdoor.Win32.IRCBot.sgu, unless they've been equipped with the most recent threat definition databases. Examples of similar Trojans from the same group include Backdoor.Win32.IRCBot.aaq, Backdoor.Win32.IRCBot.avw, Backdoor.Win32.IRCBot.es, Backdoor.Win32.IRCBot.bh, Backdoor.Win32.IRCBot.abc and Backdoor.Win32.IRCBot.ex.

All backdoor Trojans in this subgroup, as well as Backdoor.Win32.IRCBot.sgu, are identified, primarily, by their tendency to contact IRC servers to receive files or instructions. In many cases, IRC-enabled Trojans like Backdoor.Win32.IRCBot.sgu are responsible for forcing PCs into DDoS botnets, an attack that uses up significant system resources to commit server crashes. However, since there are no visible signs of this activity, you may not be able to see Backdoor.Win32.IRCBot.sgu at work, unless you experience noticeable performance degradation from the excessive CPU and RAM usage.

SpywareRemove.com malware researchers have also found a second way to detect Backdoor.Win32.IRCBot.sgu directly: by watching for native system processes, particularly svchost.exe, that may be infected by Backdoor.Win32.IRCBot.sgu. These processes will show increased resource usage in Task Manager, will always be active and may even resist attempts to close them. However, since many Windows systems will run multiple svchost.exe processes by default, even this means of rooting out Backdoor.Win32.IRCBot.sgu is difficult for non-PC security experts.

Backdoor.Win32.IRCBot.sgu's Standard but Nonetheless Debilitating Arsenal of PC Attacks

Although Backdoor.Win32.IRCBot.sgu may show slightly different types of behavior depending on the instructions that it receives, all Backdoor.Win32.IRCBot.sgu infections create the following risks for any Windows PC:

  • As mentioned earlier, Backdoor.Win32.IRCBot.sgu will attempt to make contact with a remote IRC server for various purposes. While attempting to do this, Backdoor.Win32.IRCBot.sgu may create exceptions in your firewall, disable your firewall entirely or open network ports. These actions let Backdoor.Win32.IRCBot.sgu ignore your network security, and, unfortunately, accomplish the same thing for any other remote attackers.
  • Backdoor.Win32.IRCBot.sgu may be instructed to install other harmful programs onto your PC, in the style of dropper Trojans. Prominent Trojan payloads include rogue security programs like Internet Protection 2011, browser hijackers like Resulturl and even other Trojans (such as Zlob or Vundo).
  • The presence of an active backdoor Trojan like Backdoor.Win32.IRCBot.sgu also gives remote criminals complete access to your computer, which they will often exploit by using Remote Administration Tools or RATs. This allows them to steal private information, destroy files or install other types of malicious software.

Backdoor.Win32.IRCBot.sgu should be deleted with only the best anti-malware software. SpywareRemove.com research team has confirmed that Backdoor.Win32.IRCBot.sgu makes advanced Registry changes and other system alterations that will not be removed by deletion of Backdoor.Win32.IRCBot.sgu files alone.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%Temp%\XtremeServerSource.dat File name: %Temp%\XtremeServerSource.dat
File type: Data file
Mime Type: unknown/dat
%System%\Xtreme\Xtreme.exe File name: %System%\Xtreme\Xtreme.exe
File type: Executable File
Mime Type: unknown/exe

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08C9E5JF-4KJB-16CP-AAA5-00401C6FV500}HKEY_CURRENT_USER\Software\XtremeHKEY_CURRENT_USER\Software\ServerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Loading...