How to Prevent and Remove the Backdoor.Win32.IRCBot.rgs

1. What is the Backdoor.Win32.IRCBot.rgs

Backdoor.Win32.IRCBot (also known as W32/Poebot-JT, W32/Backdoor.NYG, Win32/IRCBot.TS, and W32/Gaobot.worm.gen.e) is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger by downloading photo album.zip from someone.Once installed on a PC, the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic startup. It provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel.This allows for confidential information to be transmitted to a hacker.

Alias: Trojan.Gen [PCTools]; Trojan.Gen [Symantec]; W32/Rimecud.gen.m [McAfee]; Trojan:Win32/Ircbrute [Microsoft]; Virus.Win32.Vitro [Ikarus] 

2.Technical Details:

a. The following files were created in the system:

• Note:
  • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

• There was a new process created in the system:

c.  Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
    • Microsoft Driver Setup = "%Windir%\cwdrive32.exe"
    
    so that cwdrive32.exe runs every time Windows starts
     
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • Microsoft Driver Setup = "%Windir%\cwdrive32.exe"
    
    so that cwdrive32.exe runs every time Windows starts

d. Other details

• The following ports were open in the system:

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:

  • http://www.nippon.to/cgi-bin/prxjdg.cgi
  • http://www.cooleasy.com/cgi-bin/prxjdg.cgi

3. How-to's

a. How to prevent the  Backdoor.Win32.IRCBot.rgs ?

Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Backdoor.Win32.IRCBot.rgs Manually?

Step 1 : Use Windows Task Manager to Remove Backdoor.Win32.IRCBot.rgs Processes

cwdrive32.exe

Step 2 : Use Registry Editor to Remove Backdoor.Win32.IRCBot.rgs Registry Values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
Microsoft Driver Setup = "%Windir%\cwdrive32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Driver Setup = "%Windir%\cwdrive32.exe"

Step3: Detect and Delete Other Backdoor.Win32.IRCBot.rgs Files

%Windir%\cwdrive32.exe
[file and pathname of the sample #1] 

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm