MIRC.EXE

File Behavior

MIRC.EXE has been seen to perform the following behavior:

• Creates a TCP port which listens and is available for communication initiated by other computers
• Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
• Executes a Process
• Writes to another Process's Virtual Memory (Process Hijacking)
• This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
• Changes to the file command map within the registry
• Can communicate with other computers using TCP protocols
• Can communicate with other computer systems using HTTP protocols
• Adds products to the system registry
• Executes Processes stored in Temporary Folders
• This process creates other processes on disk
• This Process Deletes Other Processes From Disk
• Makes outbound connections to other computers using NETBIOSOUT protocols
• Registers a Dynamic Link Library File
• Terminates Processes
• Reads your outlook address book
• The Process is packed and/or encrypted using a software packing process
• Includes file creation code which could be used to test for interception by security products
• Uses DNS to retrieve the IP address for web sites
• Uses your PC to connect to Chat rooms
• Creates new folders on the system
• Injects code into other processes
• Performs DNS look ups to resolve URL IP addresses
• Uses Instant Messaging to communicate without the user's knowledge
• Uses embeded Instant Message Channel Settings
• Found on infected systems and resists interrogation by security products
• The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
• Modifies Windows Initialization And System Settings Used On Start up
• Creates system tray popups, messages, errors and security warnings
• Opens browser pop ups
• Uses reverse DNS to retrieve the host names on IP addresses
• Disables or impairs the normal operation of the Windows Security Center
• Copies files
• Injects code into other processes
• This Process is a file infector which modifies program files to include a copy of the infection
• Disables safe mode on your PC
• This Process looks to see what security products and services are running on the system

MIRC.EXE has been the subject of the following behavior:

• Executed as a Process
• Created as a process on disk
• Deleted as a process from disk
• Changes to the file command map within the registry
• Terminated as a Process
• Has code inserted into its Virtual Memory space by other programs
• Executed by Internet Explorer
• Added as a Registry auto start to load Program on Boot up
• This process has been seen to have code injected by malicious programs
• Created as a new Background Service on the machine
• Created by processes which appear to be checking for interception by security products
• Copied to multiple locations on the system