Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Trojan/IRC.Chaos

Trojan/IRC.Chaos is a typical IRC trojan, the size is 7200 bytes and the trojan is runtime compressed / protected by UPX, a opensource runtime executable packer.

Installation and Autostart Techniques

Upon execution the trojan copies itself into the Windows folder as “lsass.exe”.
The trojan creates a mutex “XSMUzadgfa” to avoid multiply running instances of the trojan on one machine.

The trojan adds the following registry key to the registry to make sure that he runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“Netservice Com” = “%WINDOWS%\lsass.exe”

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
“Netservice Com” = “%WINDOWS%\lsass.exe”

The trojan connects to a IRC Channel #Chaos and sends notficications via Private Message (PRIVMSG) to the channel host. The Trojan is able to upload files to/from it's host.
Downloaded files can be excuted by this trojan after downloading.
The trojan uses InternetGetConnectedState to upload and notify only when a valid internet connection exists to avoid uppoping dialin dialogs.

Other details

This trojan was programmed with a stipped-off version of LCC, a freeware compiler kit.

© 1992-2005 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.