Computer experts are familiar with the .com file type. The .com extension is often used by binary program files under MS-DOS. Why is this important? Because anything that has the '.com' extension on a windows system is considered as an executable file and is executed when a user doubles click on it. The same is true for the '.scr' file extension. We have seen malware authors rename their executable files to .com to trick user into downloading and executing their software.

Today, some users connected to an Internet Relay Chat (IRC) network received the following private message: "OMG is that you naked?: http://xxxxxxxx.com/contact.php?e-mail=foo@hotmail.com". A user seeing the link would think that this is a normal link and not a URL that will download an executable.

Upon download, the program reveals itself as being a normal Portable Executable (PE) file. This threat is fairly new. At the time of writing, only two antivirus company have detection for it. Nod32 detects this malware as Win32/IRCBot.AAJ trojan. This sample was fun to analyze because it is relatively small and contains something I particularly enjoy: encoded strings! When looking at the code, we have the following:

.data:0040C150 str1 db 'ZJ]',0

.data:0040C158 str2 db '_FAH/5',0

.data:0040C160 str3 db 'E@FA',0

.data:0040C168 str4 db 'AFLD',0

.data:0040C170 str5 db 'DFLD',0

.data:0040C178 str6 db '_@AH/5', 0

By looking a bit deeper in the code, we see that all these strings are accessed by the same function which is a decoding loop. The decoding loop is very typical, it simply applies an XOR operation to every character of the string. We put together a small IDA Python script to decode the strings and came up with the following:

.data:0040C150 str1 db 'ZJ]',0 ; USER

.data:0040C158 str2 db '_FAH/5',0 ; PING :

.data:0040C160 str3 db 'E@FA',0 ; JOIN

.data:0040C168 str4 db 'AFLD',0 ; NICK

.data:0040C170 str5 db 'DFLD',0 ; KICK

.data:0040C178 str6 db '_@AH/5' ; PONG :

From these strings, we draw the conclusion that this is a Bot that will connect to an IRC server. The two functionalities of this threat is to download and execute additional programs and to send messages to more IRC users. The botmasters behind this attack are currently installing a Dialer on infected hosts that connect to their IRC server.

A dialer is a program that will start your modem and dial a toll call. If a dialer gets installed on your system, your phone bill might be very big the next month, especially if the toll call is placed to a number on the other side of the globe. It should be noted that dialers can only dial a number if you have dial-up phone service. Users of cable, DSL and wireless are not directly connected to a phone line, making the dialer unable to place calls.

Pierre-Marc Bureau
Researcher