Possible Backdoor.IRC.RPCBot

  • Thread starter Thread starter CJM
  • Start date Start date
C

CJM

I run the Grisoft AVG Free Av software and ZoneAlarm. I generally filter my
email with MailWasher.

I've just installed XP Pro, and had only got through 2/3 of the required
critical patches (downloading them on a dialup!). I had notably just
downloaded and installed mIRC, and had been on it for the first time (since
rebuild)

I was online last night, and a ZA popup asked if Information.exe and
NCTL.exe could have access to the web. I said no in each case.

After a bit of investigation, I noticed I had 3 links on my desktop and on
my Start menu: 'Dating', 'XXX', 'SMS'.

I searched on google for 'nctl.exe' and 'information.exe' and found that
they are often signs of a Trojan. Backdoor.IRC.RPCBot seemed to come up a
lot.

I ran the AVG software, but it didnt detect anything. (AVG is up-to-date)

I searched (via explorer) for the two files and came up with 3 hits each:
The executable in c:\windows, another .pf file in the Prefetch directory and
a file in the IE Temporary files folders. I deleted them all. I've also
deleted the links from the Start Menu/Desktop.

I checked (regedit) for the registry keys indicated in the various AV links
I had looked at, but none had been added/edited on my PC. I checked for some
of the other files that were indicated, but couldnt find any of them either.

I also checked the programs that will run on startup, both using TweakXP and
a double check using regedit.

So my questions are:

Does this sound like Backdoor.IRC.RPCBot or a different trojan?

How do I find out?

Have I stopped it in it's tracks? Or is there other malware running that I
dont know about?

What other damage am I potentially faced with?


Thanks in advance

Chris
 
I run the Grisoft AVG Free Av software and ZoneAlarm. I generally filter my
email with MailWasher.

I've just installed XP Pro, and had only got through 2/3 of the required
critical patches (downloading them on a dialup!). I had notably just
downloaded and installed mIRC, and had been on it for the first time (since
rebuild)
Click to expand...

Make sure you're version 6.12, did you download it from www.mirc.com
or somewhere else?
 
It was 6.12 and it was downloaded from mIRC.

I've uninstalled it now - if the Trojan is an IRC trojan, then it may
partially rely on some mIRC code, so I zapped it.
 
CJM said:
I run the Grisoft AVG Free Av software and ZoneAlarm. I generally filter my
email with MailWasher.

I've just installed XP Pro, and had only got through 2/3 of the required
critical patches (downloading them on a dialup!). I had notably just
downloaded and installed mIRC, and had been on it for the first time (since
rebuild)

I was online last night, and a ZA popup asked if Information.exe and
NCTL.exe could have access to the web. I said no in each case.
Click to expand...

Check Program Control in ZA and see if you have allowed Mirc to
have server priveleges. You need to allow it access to the
internet but not be ticked in the server column. Did you have ZA
running while you were doing updates? When you install an OS you
must have ZA running BEFORE you access the internet.
 
Thanks for all your responses.

After some further investigation, I'm fairly confident I'm not infected
(anymore).

I've run a full up-to-date virus scan (different s/w this time), run
ad-aware, I've also downloaded and run 2 different trojan scanners, and came
up with nothing out of the ordinary.

I'm still slightly puzzled how these things got there! Unwanted emails don't
make it past MailWasher and anyway, I'm not in the habit of running random
attachments. ZoneAlarm should have secured all my open ports.

I'm just wondering if the mIRC installer has been tampered with. It came
from a mirror listed on the mIRC site so it should be legit, but you never
know.

Anyway, Thanks again...

Chris
 
CJM said:
Thanks for all your responses.

After some further investigation, I'm fairly confident I'm not infected
(anymore).

I've run a full up-to-date virus scan (different s/w this time), run
ad-aware, I've also downloaded and run 2 different trojan scanners, and came
up with nothing out of the ordinary.

I'm still slightly puzzled how these things got there! Unwanted emails don't
make it past MailWasher and anyway, I'm not in the habit of running random
attachments. ZoneAlarm should have secured all my open ports.
Click to expand...

Zone Alarm will do anything you tell it to do, if you allow Mirc
to act as a server then bingo! Open ports. Infected emails are
only part of the infiltration problem, allowing ports to be opened
or sending files back and forth etc on irc and instant messenging
programs should be a no no. If you allow a webcam connection while
in an instant messenger prog for example, scan your ports at the
same time and notice what is open. The bells and whistles of irc
and messenger etc are cute but leave you wide open to attack. I
view instant messenger progs as just that, instant messaging,
nothing more. If I want a file from someone I request it be
emailed and personally scan every single attachment that arrives.
Did you run Stinger on your computer?
 
Back
Top