[Malware Review] Nasty Backdoor.IRCBot.ADEN is Back in Business

It spreads via USB devices and IM; it blocks antivirus solutions and steals all the usernames and passwords found on the infected PC

Although Backdoor.IRCBot was firstly detected a long time ago, May 2003 to be precise, this e-threat always finds a way to reinvent itself and haunt peoples’ systems all over again. It was a few weeks ago, 2011 when its last variant was spotted in the wild.

Backdoor.IRCBot.ADEN is a generic detection for the threat that spreads either via Instant Messaging clients such as Yahoo Messenger, Pidgin, Xchat or through USB devices. Given the fact that a crushing majority of PC users have at least one application that enables them to instantly communicate with friends, families or co-workers, the infection vector is well covered. Since we’re talking about a IRC bot, it’s easy to figure that it accepts a wide range of commands from its botmaster after it has successfully connected to an IRC channel.

Once on the system, it copies itself in the hidden <application data> folder; then, it adds itself to SoftwareMicrosoftWindowsCurrentVersionRun while injecting itself in all running processes, this way making sure that it is initialized at each Windows startup.

The remote attacker might initiate a variety of tasks amongst which distributed denial of service via a botnet of compromised systems, further malware download, financial data, collection of usernames and passwords, among other things.

In order to protect itself from detection and removal, Backdoor.IRCBot.ADEN attempts to block the access to all the well-known AV vendors’ sites and it also restricts access to online scanning tools. It comes “equipped” with a list of words relevant to antimalware solutions in order to make sure that no cleaning tool remains running or could be accessed in real time onto the infected PC.

Plus, it monitors the instant messaging applications installed on the PC, social networks, file servers and e-mail accounts, e-banking or gaming accounts the user might have in order to steal all the usernames and passwords typed in or stored onto the “host” computer. PayPal, Steam, Facebook, Vkontakte, YouTube, Gmail, and many more are to be monitored by this threat.  And as for social networks, it also has a special delivery: messages, tweets and wall posts that are to be sent without the users’ consent.

This article is based on the technical information provided courtesy of Cristina Vatamanu, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.