A backdoor that can be distributed as autorun.inf and can infect all removable disks except for A: and B:. Data on successful completion of the infection process is transmitted via IRC. Moreover, BackDoor.IRC.Aryan.1 can infect removable media using the following routine: first, the bot replicates itself to the device, creates a new folder, and then transfers files from the root folder to the newly created one. After that, the malicious program plants shortcuts to original files and its own files into the root folder. Data on successful completion of the infection process is transmitted via IRC.
If the bot is launched from the removable media device, it runs a search for the cmd.exe process and kills it.
Then it copies itself to %APPDATA% assigning it with HRS attributes and registers this copy in HKCU(HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
The malicious program constantly verifies that its executable file is present on the hard drive. If the file is missing, the bot reads itself from the drive and then loads the executable from the memory. At the same time, the backdoor checks the autorun key and, when necessary, modifies it.
The malware attempts to inject one malicious module into csrss.exe, alg.exe, dwm.exe. The module is responsible for restarting the Trojan.
BackDoor.IRC.Aryan.1 tries to inject the payload into explorer.exe. If this operation is unsuccessful, the Trojan initiates a separate thread to execute the payload.
BackDoor.IRC.Aryan.1 can download and run files specified by cybercriminals and launch DoS attacks on a command from IRC server.
