View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32/IRCFlood

Date Published:
9 Sep 2002

Last Updated:
17 Dec 2007

Threat Assessment

Overall Risk:   Low
Wild:  Low
Destructiveness:  High
Pervasiveness:  Medium

Characteristics

Type : Trojan

Category : IRC Script

Also known as:  Reg/Fizz!Trojan, BAT/Fizz!Trojan, IRC.Flood.C, Reg/IRCFlood, BAT/IRCFlood, mIRC/IRCFlood, mIRC/IRCFlood!Trojan, Win32.IRCFlood.C, BAT.IRCFlood.C, mIRC/Shaz.A.Worm

Immediate Protection Info

 
SignatureProductRemoval Instructions
5.4/2266
eTrust EZ Antivirus 5.x
23.57.31
eTrust InoculateIT 6.0
eTrust Antivirus 6.0
39.31
Inoculan/InoculateIT 4.x
10.4/2266
Vet 10.4x
10.5/4088
Vet Anti-Virus 10.5x
 
 

Description

Win32/IRCFlood is a detection that describes a large family of functionally-related malicious programs.  These programs allow a victim's machine to be controlled in some manner by a remote user via IRC (Internet Relay Chat).

These programs generally use mIRC (a legitimate program) in combination with a program that hides the mIRC application and other malicious applications from the host. When installed on a victim's machine, mIRC is manipulated to produce an IRC Bot that can then be controlled by requests from a remote Bot Master.

When this manipulated version of mIRC is executed,  the affected machine connects to a particular IRC server and awaits commands from the controlling hacker. These 'Bots' are a popular tool for conducting a Distributed Denial of Service against a target via various types of scripted attacks, although they can also be used for a number of other illegitimate purposes, such as port scanning, spamming or flooding unsuspecting targets. 

Bots may also beget further bots by producing 'clones' - auto-generated copies of themselves that can then spawn excessive numbers of connections to particular servers. This type of extreme network traffic can exhaust all available ports and, in certain circumstances, force a restart of the targeted server, disconnecting, inconveniencing and frustrating legitimate users of the affected service.

Most bots have a number of functions in common with regard to the local, compromised machine. Generally, most have the ability to:

  • Gather configuration information about the local machine, including connection type, cpu speed and general information regarding the local drives.
  • Install or delete files on the local machine
  • Perform other miscellaneous commands on the local machine
  • Use an auto-update function to download a new version of the bot, when available.
  • Scan the affected local machine for further system compromise, such as the presence of another remote access trojan or backdoor program (such as the infamous SubSeven).

In September 2002,  Microsoft reported an increase in unauthorized, malicious activity on Microsoft Windows 2000-based servers that was generally associated with Win32/IRCFlood. For more information, please visit Microsoft at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691

CA Antivirus solutions detect the particular variant that Microsoft is referring to in this document as either IRC.Flood.C or mIRC/Shaz.Worm.

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

CA World 2010

Insights

On-Demand Webcasts

Five Keys to a Successful Identity Lifecycle Management Implementation
The Expanding Requirements of DLP Featuring Forrester’s Andrew Jaquith
More

Press

CA-Sponsored Ponemon Institute Study Identifies Biggest Threats to Citizen Data, Federal Systems and Critical Infrastructure
CA Joins Lockheed Martin Cyber Security Technology Alliance
More

News

IT management nirvana: Monitoring physical and virtual environments in one console
CA Bulks Up Virtualization Offerings
More
 
 
Page Tools
ShareShare