What are best practice forensics after finding IRC bot
Posted on 2007-10-12
What are the best practices for followup to a bot removal? I was called on site to a clients small busines and found a very simple IRC bot installed that launched on startup and made no attempt to conceal itself. I was able to locate it without a great deal of time and effort, it was installed in a folder in System32\ but the ease with which I could find and remove it lead me to ask if there is false sense of security since the system scans show no virus and the system is working as expected. I cleaned a Storm Worm infected machine about two months ago and that was the most stubborn cleanup that I had seen in many years. With this one I deleted the folder and the registry entries and it was gone, just seemed too easy. The owner told me that he always ckill the applicaiton as soon as he booted up so I want to believe it never got past the immediate IRC logins.
In the properties of the executable the company name was 'GoHack, Inc.'