Forums General Discussion malware.Bkdr_Ircflood.X

I recently scanned my system with TrendMicro's HouseCall, and it found malware.Bkdr_Ircflood.X running in memory (and cleaned it). It never found any files that were infected with the virus, just said it was running in memory. I decided to format (it was time to format anyway), and after installing Windows XP and mirc 6.14 (did the same with 6.12), HouseCall found it again.

I was wondering if this was a HouseCall bug or if anyone else had this problem?

Sounds like it could be a false positive where the scanner thinks it found something from code (in a file) that mimics a virus. Did it find it in a mirc file or a mirc script (or neither)?

EDIT - if you check the TROJAN INFO link, you can see a few other places to try and scan with for more of a well rounded idea/opinion

Thanks for the reply! It didn't find either mIRC itself or an mIRC script (didn't have one installed at time of scan). When it was scanning memory and system files, it would find malware.bkdr_ircflood.x if mIRC was running. If mIRC wasn't running at the time, it wouldn't find it.

I'm also scanning using tools from the thread you link right now. Of the few that have completed, only HouseCall house found this virus. I'm beginning to think that it is indeed a false positive detected by HouseCall.

Indeed, to follow on from above, it's always good practice to use more than one antivirus and/or trojan scanner. 'False positives' are common, and you can never be too safe.
The opposite can be true aswell whereby an antivirus will not detect a virus but another one will. If the AVs you have, have an "Auto Protect" feature then you should have it enabled too.

Stay safe

Regards,

Hello,

I'm having the exact same problem with the TrendMicro's HouseCall scanner. Everytime I open mIRC I get the BKDR_IRCFLOOD.X virus as the same problem you have. I did get rid of the ieexec.exe program, checked my registries to see if it's infected, but I found nothing. I too believe that the scanner is Fasle. If you happen to find a scanner that also picks BKDR.IRCFLOOD.X, please reply or e-mail me @ jamesbond236@hotmail.com with a apporiate title regarding the virus BKDR_IRCFLOOD.X which appears on the TrendMicro's HouseCall scanner.

Thanks,
- Jay

It's still a good virus scanner and is widely used even if it does turn up some wrong results - obviously it's just sensitive. If you simply scan with 2-3 of the virus scanners that appear in the Trojan resources thread you should know if you're clean or not.

Just an FYI, I wouldn't suggest posting your email on the public Forum, spam bots crawl the web and pick up those emails subsequently spamming them.

Stay safe

Regards,

I've come up with the same. Digging through some logs and stuff, here is what is setting it off:

Debug Information Level=0
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\DefaultIcon]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\command]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Application]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\ifexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Topic]
BackupRegKey[HKEY_CLASSES_ROOT\.cha]
BackupRegKey[HKEY_CLASSES_ROOT\.chat]

and

Damage Cleanup Engine (DCE) 3.5(Build 1119)
Windows XP(Build 2600: Service Pack 1)

Start time : Fri Mar 26 02:49:08 2004


Load Damage Cleanup Template (DCT) "H:\WINDOWS\tsc.ptn" (version 298) [success]
BKDR_IRCFLOOD.X[virus found]
-->delete registry data("HKEY_CLASSES_ROOT","ChatFile\DefaultIcon",""E:\mIRC\mirc.exe"") success
-->delete registry key("HKEY_CLASSES_ROOT","ChatFile","") success
-->delete registry key("HKEY_CLASSES_ROOT",".cha","") success
-->delete registry key("HKEY_CLASSES_ROOT",".chat","") success

Complete time : Fri Mar 26 02:49:14 2004

Execute pattern count(718), Virus found count(1), Virus clean count(1), Clean failed count(0)

Yes, I also have received the BKDR_IRCFLOOD.x, and only Trend Micro seems to be finding this file, and each time it's Housecall removes it, and I reboot my computerand this file shows up again!

I have used NAV 2004 Pro, KAV, McAfee, AVG, Pest Patrol, Spybot Seach & Destroy, and Trojan Hunter, the GFI Online Trojan Scanner, and none of these showed BKDR_IRCFLOOD.x!

Is BKDR_IRCFLOOD.x actually a file, much less a form of malware? I have spent the better part of the past 5 hours scouring my two computers and notebook here at home.

Jammy

I couldnt tell you as ths is not my area of expertise (aka how trojans work and what their filenames are called etc)

CLICK

@rew:
Debug Information Level=0 etc.
So it's harmless?

Like almost everyone else I too have that backdoor on my system. Only trend micro seems to find it, but not on every system. Even at home, where I have 3 different computers, just 1 is "infected".
Though I think nothing is wrong, (using cmd and looking at netstat gives on open connection I didn't open myself), I do found something else. When connecting to irc.quakenet.org and joining #5on5 I got G-Lined. (Probably just an on join G-Line).
Still it's weird that everytime you start mirc again, you have been "infected" again.

Thanks! But ya know that I have never had any of those entries in my registry!!! I get so tired of manually going to my registry only to not find anything.

Trend Micro may have found something but how come none of the other AV programs can find anything?

Another reason why I agree that this is just a false positve.

Jammy

it's not at all uncommon for one AV to find something that another one doesnt. have you contacted trendmicro to ask them to investigate whether its a false positive? don't just assume it is. altho, if it was something within the basic mIRC (as downloaded from mirc.com) triggering it, then seems like everyone with mIRC who uses housecall would get the same results

I too have had this "virus". However, for me it only comes back after I restart mirc. If I start mirc, exit, clean it, restart mirc....its there again. Dont open mirc, it doesnt appear!

I have none of those registry entries mentioned, nor the .exe file. Fortunately, I found this thread before I tried a format. Think I might try emailing Trend Micro about this.

kilo

Have'nt you guys experienced any effects from the malware ?

For me the malware deleted all my Internet explorer Favorites ( which was extremely frustrating) and changed my startingpage.

I think what most of these guys are saying is that Trendmicro is turning up a confirmed infection when actually, they are not infected - meaning they would not suffer.

Perhaps you really were infected and therefore, you did.

Hope you manage to get back on track though :-)

Regards,

I have the same problem..can´t anyone help cleaning this virus?

CtrlAltDel provided a link to trendmicro that details how to clean that virus if you are in fact infected with it. Unless every file and all registry entries are removed, each time you open mIRC the trojan will restart.

Whether there is something triggering a false positive in puters that arent actually infected, i dont know

i have the same problem,

i find out that this worm is creating 3 files in folder %windows%\temp
files are: mirc.exe , lol.exe and lol.bat

if i open any txt file , my system is shuting down (load at 1st the lol.bat file, and then the mirc.exe and lol.exe)

- trendmicro is the only tool to find this worm (but he didnt say what file is infected, only "systemfiles")

if i reinstall windows , i solved this problem, or i get this worm again if i connect to IRC ?

sorry for my bad english
best regards
Whity

You have to delete Windows\System32\notepad.exe which is a self extracting file - virus. You can either:

1) replace this file with the standard Windows/notepad.exe

2) delete any reference to 'System32\notepad.exe' in your registry. When you do that, if you try and open a txt file, windows will ask you to select a program to open it with - just choose Windows\notepad.exe