Trojan.IRC.Hack

Class Trojan
Platform IRC
Description

Technical Details

This Trojan horse is a self-extracting package that installs a program to
attack IRC clients. The Trojan then installs to the system the Serv-U FTP
server in a configuration that shares a C: drive on the victim PC for full access.
The Trojan also registers a Serv-U FTP server in the WIN.INI file in the auto-run
section.

Because of a bug, the Trojan works only when Windows is installed in the
C:WINDOWS directory. The Trojan also does not work under WinNT and
Win2000.

To remove the FTP server from the computer, it is necessary to remove the
“load=closew” from the [windows] section in the WIN.INI file and to delete the
files:

AJOUT.INI
CLOSEW.BAT
INSTLL.BAT
RUNDLLS.EXE
SERV-U.INI