W32/IRCBot.GNS is a Trojan horse with a backdoor inside.

Backdoors are programs which allows of remote hacker to access the infected system and to executes commands.

W32/IRCBot.GNS comes in the system as dropped by other malware.

When started it creates own copy in:

windir%\mservice.exe

Note: %windir% is Windows folder, usually C:\Windows\

It creates entry point in the registry.

The malware tries to connect with the following IRC server and to join in the channel #pBot:

http.xn--mg-kka.com:[removed]/TCP

The The presence of outgoing traffic to that address is the presence of symptoms of infection.

It creates the following records in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MSN = C:\Windows\mservice.exe

Creates also the following file:

%windir%/mservice.exe

W32/IRCBot.GNS activities are:

• DDoS to certain IP;
• downloads and starts files;
• spreading by MSN and AIM protocols;
• sets IE to remember passwords on the infected system;
• self-updating