Aliases: Backdoor.IRC.Mimic.h, Troj/Mimic-A, Backdoor:IRC/Bnc.G*, BDS/Mimic.IRC.Z, mIRC/Mimic
Variants: IRC/Flood, IRC/Momma, IRC/WinHelp.a, TROJ_GTMINESXF.A, Trojan.Win32.Glitch

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 05 Oct 2000
Damage: Low

Characteristics: This malware is used as an Internet Relay Chat BOT tool which can deliver a Distributed Denial of Service attack. The W32.LXD.Mirc contains a copy of the Internet Relay Chat client in its codes and uses computer systems that do not utilize Internet Relay Chat clients as launching pads for the execution of attacks. Multiple command prompt windows may be opened in the infected machine to issue Ping commands to potential target systems.

More details about W32.LXD.Mirc

This malware is normally sent as an executable file which will initiate the extraction of the W32.LXD.Mirc into the compromised computer system. The threat on its first execution will create a copy of itself into the directory folder of the operating system files using another executable file. The Windows Registry is modified using a new key value that will point to the exact location of the main executable file of the W32.LXD.Mirc malware. The W32.LXD.Mirc also uses the Windows Registry to be able to load automatically at every restart or boot up process of the infected machine. When active, this malware can be used by a remote attacker to take control over the resources of the computer system.

Usually the W32.LXD.Mirc malware would require the presence of the Visual Basic runtime files in the compromised machine to execute properly and deliver its payload. When an active Internet Relay Chat client is detected in the infected computer system this malware will use it to spread its codes. In machines where the Internet Relay Chat client is not present, the W32.LXD.Mirc will begin pinging specific servers. This will result in the creation of a Distributed Denial of Service attacks that will tie up the resources of the attacked server and make it vulnerable to the entry of malicious codes.