Backdoor

About “Backdoor:Win32/IRCbot.FY” infection

Malware Removal

The Backdoor:Win32/IRCbot.FY is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Backdoor:Win32/IRCbot.FY virus can do?

  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Queries information on disks, possibly for anti-virtualization
  • Detects Sandboxie through the presence of a library
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • Operates on local firewall’s policies and settings

How to determine Backdoor:Win32/IRCbot.FY?


File Info:

name: F3A5AB39605118A0689A.mlw
path: /opt/CAPEv2/storage/binaries/444914c847e52859339ba25fb6499c9880223041293102ec0cb0cbd3a6661e7f
crc32: 98916651
md5: f3a5ab39605118a0689afc0ca7ab276a
sha1: 4e51116162fd1ccf6808228d6b9b904813bf0d30
sha256: 444914c847e52859339ba25fb6499c9880223041293102ec0cb0cbd3a6661e7f
sha512: d6abbe46c51664a050f434aa4004110d4c85bf9a5c102c8f53582ef7c1144f94899b2ccfaf5f1a617c0b0b0fa32da807aef2f9ac48e7edf577ecbbc9706dfd46
ssdeep: 1536:uuqNAOCxiH8SWttzZQeCLSQ3pRX7ZlojgWYevDCvbSgBvU:5qfCxjSsFQeVQZRX7ZlEgWqmwvU
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T10793E5C383C2454ED7879CB1B845AB275154DF3800798752B7A27F682E326DBE8A4B1F
sha3_384: 880f1a639c0710e534457bf708de873c08c59baaaa697afe056fe934614b90b9e95a6573f61fdb2da6727befc2e46a06
ep_bytes: 558bec6aff6860a04000683090400064
timestamp: 2011-09-17 12:44:17

Version Info:

Comments:
CompanyName:
FileDescription:
FileVersion: 2.0
InternalName:
LegalCopyright: Copyright © 2011
LegalTrademarks:
OriginalFilename:
PrivateBuild:
ProductName:
ProductVersion: 2.0
SpecialBuild:
Translation: 0x0410 0x04b0

Backdoor:Win32/IRCbot.FY also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Buzus.4!c
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.Cripack.Gen.1
FireEyeGeneric.mg.f3a5ab39605118a0
McAfeePWS-Zbot.gen.bbe
CylanceUnsafe
ZillyaTrojan.Buzus.Win32.81974
SangforTrojan.Win32.Save.a
K7AntiVirusEmailWorm ( 003284441 )
AlibabaWorm:Win32/IRCBot.8326efb2
K7GWEmailWorm ( 003284441 )
CrowdStrikewin/malicious_confidence_100% (D)
ArcabitTrojan.Cripack.Gen.1
BitDefenderThetaAI:Packer.9843F4FF21
SymantecPacked.Generic.341
ESET-NOD32Win32/AutoRun.IRCBot.HO
BaiduWin32.Worm.IRCBot.ai
TrendMicro-HouseCallHV_ZYX_BH0128A0.TOMC
ClamAVWin.Trojan.Buzus-9317
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderTrojan.Cripack.Gen.1
NANO-AntivirusVirus.Win32.Gen.ccmw
SUPERAntiSpywareTrojan.Agent/Gen-Buzus
AvastWin32:Regrun-JI [Trj]
TencentWin32.Trojan.Generic.Eddl
Ad-AwareTrojan.Cripack.Gen.1
EmsisoftTrojan.Cripack.Gen.1 (B)
ComodoMalware@#29mhsl708525a
DrWebTrojan.PWS.SpySweep.91
VIPRETrojan.Win32.Encpk.pa (v)
McAfee-GW-EditionBehavesLike.Win32.Downloader.mh
SentinelOneStatic AI – Malicious PE
SophosML/PE-A + Mal/EncPk-AAQ
APEXMalicious
JiangminTrojan/Buzus.azyd
WebrootW32.Trojan.Gen
AviraTR/Dropper.Gen
Antiy-AVLTrojan/Generic.ASMalwS.1AC1CE
MicrosoftBackdoor:Win32/IRCbot.FY
ViRobotTrojan.Win32.Buzus.90112.R
GDataTrojan.Cripack.Gen.1
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Buzus.R12794
VBA32BScope.Trojan-PSW.Zbot.1692
MAXmalware (ai score=100)
RisingTrojan.Generic@ML.100 (RDML:juzaEUjWQkeo5n9M5uamYA)
YandexTrojan.Injector!XA//RdUmTnM
IkarusTrojan.Win32.Buzus
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Injector.HCR!tr
AVGWin32:Regrun-JI [Trj]
Cybereasonmalicious.960511
PandaGeneric Malware

How to remove Backdoor:Win32/IRCbot.FY?

Backdoor:Win32/IRCbot.FY removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment