If you hide extensions for known file types, there's a great chance you won't notice the difference. Besides, the infected executable loads a picture to dispel suspicion (not always). Upon execution, Backdoor:Win32/IRCbot drops a file into a users's Application data and Start Up folders, modifies Windows registry and attempts to configure the system to run malicious files automatically everytime Windows starts.
The payload program targets Facebook accounts, Windows Live Messenger, and Yahoo Messenger for further propagation. It simply injects a few words (example: ""hahdhauhahaaha did you see this??") and malicious URL into your private messages and your Facebook wall. It then hides IMs chat history. Furthermore, Backdoor:Win32/IRCbot changes the home page to http://domredi.com/1/ in Internet Explorer. It then randomly redirects Internet Explorer to other shady websites. The following website were identified:
Thankfully, you can restore your default home page and stop the annoying redirects without any problems. You can remove Backdoor:Win32/IRCbot manually as well, if you feel confident working with the Registry Editor and you know exactly which files are infected. However, please note that this Trojan may drop malicious files into different folders and download additional malware onto your computer. We strongly recommend you to use anti-malware software to remove this Trojan horse and associated malware from your computer. If you need help removing Backdoor:Win32/IRCbot, including all variants of this infection, please leave a comment below or just email use. Good luck and be safe online!
Backdoor:Win32/IRCbot removal instructions:
1. Download recommended anti-malware software (direct download) and run a full system scan to remove this backdoor Trojan from your computer.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
2. Go to Tools → Internet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://domredi.com/1/. Click OK to save the changes. And that's about it.
Associated Backdoor:Win32/IRCbot files and registry values:
- C:\Documents and Settings\[UserName]\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
- C:\Documents and Settings\[UserName]\Start Menu\Programs\[SET OF RANDOM CHARACTERS].exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"