How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Trojan.Win32.Ircbrute

1. What is the Trojan.Win32.Ircbrute

Trojan.Win32.Ircbrute serves as a kind of non-self-replicating Trojan technology that is designed to allow a hacker remote access to a target computer system for your personal or confidential information, such as your ID numbers, VISA card passwords, your email address, your birthday, Full name, driver's license number and genetic Information. Trojan.Win32.Ircbrute cannot be removed manually. If your computer is suffering Trojan.Win32.Ircbrute, we sincerely suggest you remove Trojan.Win32.Ircbrute with an advanced tool.

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%Temp%\google_cache364.tmp	9 bytes
2	%Temp%\mserver.exe [file and pathname of the sample #1]	208,896 bytes

Note:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Allocated Size
mserver.exe	%Temp%\mserver.exe	86,016 bytes

c. Registry Modifications

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- Windows Firewall = "%Temp%\mserver.exe"
so that mserver.exe runs every time Windows starts
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Windows Firewall = "%Temp%\mserver.exe"
so that mserver.exe runs every time Windows starts

d. Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
200.164.228.252	80

e. Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

NICK ^[USA]-[XP-SP2]-069721
USER 1360 "" "lol" :1360
PONG :412CF8FD
JOIN #jklolimawasp## 1a2z3a4za6z5s6x5
PRIVMSG #jklolimawasp## :
Bot killed from the system!

There was an outbound traffic produced on port 31337:

00000000 | 5041 5353 2031 6132 7A33 6134 7A61 367A | PASS 1a2z3a4za6z
00000010 | 3573 3678 350D 0A | 5s6x5..

3. How-to's

a. How to prevent the Trojan.Win32.Ircbrute ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan.Win32.Ircbrute Manually?

Step 1 : Use Windows Task Manager to Remove Trojan:Win32.Ircbrute Processes

%Temp%\mserver.exe

Step 2 : Use Registry Editor to Remove Trojan.Win32.Ircbrute Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Firewall = "%Temp%\mserver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Firewall = "%Temp%\mserver.exe"

Step3: Detect and Delete Other Trojan.Win32.Ircbrute Files

%Temp%\google_cache364.tmp
%Temp%\mserver.exe
[file and pathname of the sample #1]

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm