Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

IRC Botnets Alive, Effective & Evolving

image
NIRMAL SINGH
April 23, 2015 - 16 min read
Introduction
An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.
 
In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.
 
DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif  (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
  • "-aav_start"  - It terminates
  • "–shell"  - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions. 
 
It first injects a thread into svchost.exe and performs the following actions:
  1. Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
  2. Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
  3. It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
  4. It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
  5. It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
Image
DorkBot - Hardcoded Domains
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.
 
Image
DorkBot - memory strings
 
It also creates a remote thread in the “calc.exe” process that performs the following actions:
  1. Creates a mutex with the name “c731200
  2. Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.
  3. It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
Image
DorkBot- Random file names
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
Image
DorkBot - Encrypted URLs
Image
DorkBot - Pseudocode of decryption function
 
Below is the full list of URLs from from where it tries to download additional malware:
 
URL
http://api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
http://api2[.]wipmania[.]com[.]wipmsc[.]ru/api2.gif
http://api3[.]wipmania[.]com[.]wipmsc[.]ru/api3.gif
http://api4[.]wipmania[.]com[.]wipmsc[.]ru/api4.gif
http://api5[.]wipmania[.]com[.]wipmsc[.]ru/api5.gif
http://api6[.]wipmania[.]com[.]wipmsc[.]ru/api6.gif
http://api7[.]wipmania[.]com[.]wipmsc[.]ru/api7.gif
http://api8[.]wipmania[.]com[.]wipmsc[.]ru/api8.gif
http://api9[.]wipmania[.]com[.]wipmsc[.]ru/api9.gif
http://api[.]wipmania[.]com[.]fowd[.]ru/api.gif
http://api[.]wipmania[.]com[.]selfmg[.]ru/api.gif
http://api[.]wipmania[.]com[.]lotus5[.]ru/api.gif
http://api[.]wipmania[.]com[.]wipmania[.]ru/lkwaxd.gif
http://api[.]wipmania[.]com[.]lotys[.]ru/vjojai.gif
http://api[.]wipmania[.]com[.]bwats[.]ru/ofjtme.gif
http://api[.]wipmania[.]com[.]stcus[.]ru/apsphv.gif
http://api[.]wipmania[.]com[.]cmoen[.]ru/zkmchm.gif
http://api[.]wipmania[.]com[.]artbcon3[.]ru/frflec.gif
http://api[.]wipmania[.]com[.]yeloto[.]ru/zwfmwd.gif
http://update[.]wipmania[.]com[.]raulhost[.]ru/logo.gif
 
DorkBot
Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
 
  • Capable of spreading via chat messengers, USB drives, & social networking sites
  • Supports multiple Distributed Denial of Service (DDoS) attack types
  • Capable of stealing login credentials for multiple HTTP and FTP sites
  • Blocks security update related websites to evade detection
  • Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–
 
URL
MD5
Malware Name
Ernsthaft[.]su/ert[.]exe
6C738D0A737D16C87EB40C24C5F594A6
IRCBot.HI
Mslighton[.]net/uploads/io[.]exe
C73DBA5827728EEAC59951B14AB329F4
RageBot
Colorfashionbox[.]com/u[.]exe
F919C902AC07AF339BBD753E6EFF89C7
Phorpiex
Dumanfun[.]com/t[.]exe
DBC477DF90D4ECB37B698C571DE90D11
Phorpiex
 
In addition to IRC based C&C communication, all these bots have following similarity in their operation:
 
1. Checks execution environment - Virtual Environment, Honeypot or Sandbox
 
 
Image
RageBot - Check via Username
As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.
 
Image
Phorpiex - Check via DLL name
Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.
 
Image
IRCBot.HI - Check via DLL & Product IDs
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.
 
2. Creates Mutex
             
RageBot – It creates a mutex with name “ie”
 
Image
RageBot - Mutex
           Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”. 
Image
Phorpiex - Mutex
          IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber> 
 
Image
IRCBot.HI - Mutex
3. Installation
 
RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
Image
RageBot – Building installation path
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.
 
Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
Image
Phorpiex – Pseudocode of Installations function 
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.
 
IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe. 
 
Image
IRCBot.HI – Installing in different locations
 
4. Adding autostart feature using Run registry key.
 
RageBot – Creates Run Key -         HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”
 
Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”
 
IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
Image
IRCBot.Hi – RunOnce Entry
5. Adding itself to Windows Firewall trusted application list 
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
6. Propagation method 
 
RageBot – 
  1. It copies itself to the following P2P & Instant messenger application folders for spreading  
    • \Program Files\LimeWire\Shared
    • \Program Files\eDonkey2000\incoming
    • \Program Files\KAZAA
    • \Program Files\Morpheus\My Shared Folder\
    • \Program Files\BearShare\Shared\
    • \Program Files\ICQ\Shared Files\
    • \Program Files\Grokster\My Grokster\
    • \My Downloads\
  2. It also searches for RAR files and copies itself inside them.
Phorpiex –

    A. Creates a shortcut in a removable device
  • It checks for all removable devices
  • Copies itself with a different name
  • Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
  • Hides the malicious file and folder by setting a hidden attribute for both
Image
Phorpiex - Creating Shortcuts

    B. Creates an autorun.inf file in removable devices to autorun the malicious file
  • Checks for all removable devices.
  • Copies itself with a name of windrv.exe
  • Creates an autorun.inf file to autorun the malicious file
Image
Phorpiex - Creating autorun.inf file
IRCBot.HI - 
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype. 
Image
IRCBot.HI - Skype inject related string
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.
 
RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
Image
RageBot - C&C Communication
You can find full list of C&C commands in the appendix section.
 
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
                                    
                                      NICK `|USA|hihdlxu
                                      USER x "" "x" :x
 
Some other commands:
 
                              001 -> Sends JOIN #b message to server
                              PING -> Checks status
                              .j <channel name> - > Join given channel
                              bye -> Uninstall bot
 
 
Image
Phorpiex - C&C Communication
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667. 
Upon successful connection, it sends the following IRC commands:
 
                                     PASS ddos
                                     USER <8 char string> <1 digit number> * :<8 char string>
                                     NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
                                     JOIN #PlanB

Below is a sample of the C&C communication for this bot:
 
Image
IRCBot.HI - C&C Communication
Conclusion
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.

Appendix

DorkBot installer URLs and MD5

 
TIMEMD5URL
Jan-15E49B3EF80FF4DB4DB1D5220930EC7DADapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15CC9D72663D2495779B0C81AEE34592E7api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15A98472BCAA010433A80410C3483C90E1api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15EEFC72EFFD96FFD11EC2D69CD6248AC5api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-154E7149C1401F5A0BC34E3AAD6070F4BEapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-155B14C029570F40BDDC73669FE4EFEFB0api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-154C54D366B04F9980F038CB6FC62603D0api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-156E4282023D6A19B27C30DB5D54CEE32Capi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15E7B61B2BE23167965079468DF36497EFapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15DC8CBA3F91A34F0D1EFA79BE4495B305api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-158AAD291926335F28B4402830252556F7api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-158036A36C372602CFA049996B9F5BD6AEapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-158036A36C372602CFA049996B9F5BD6AEapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-157257FD6F90B5AA9BB249EA74B764A401api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15B186525826856E881E879C6C44BB2452api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15220188F1BD2E10BA0751383EA0946DBAapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-152DB9BD0ABD99F3285721D358A6816737api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15EBEB072B8336F5FD35328227A60B271Capi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-1501303BEFE5938C3C748C4E058A8A6AE9api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-1582E2CA09BDEB3ABF8B70D848F66793E7api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-150B2E7AE8DF2ADA1E86A3A25FC248C6FEapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15430560EBD3BE6A680BFA6409F332585Bapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15F79AF05D9B43F99EB6FC64DA2C129F67api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15384252746FAFF8D264E6A8CA450B6301api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15C9636239ED698834CABA78E1F9F8DB0Fapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-159C42746376CC7D265D6BF554B960EDE2api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-1567B08BF0F2C89DE4E0D1C36BAF7193B9api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15735B6602B4BD1D71246F43642D6873AAapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-157D9AF61AE962443D586BFC8A86100B5Fapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-1505ABC48A4BEE624D7952954CF14F699Dapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15FF638ACA7D8D10ED8AD2DE1BC333123Dapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15AA4085182E8F10FEC8EBC3F6D3612321api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-151A54593E7C82DD1B16B7626FCB211DA1api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15235E67A88907DA68BFBB9264A00A31E3api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-152CBD9428DEE885C30258BF0C38299138api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15CCDC5EC2085536160813658BE549F0B6api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15CBD732F87901EE03820DBA41D0D2895Aapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15BE5E43F2786D628B7AA8689C2108247Dapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-155AEC4A3B3E0AEB3B13B98086FC81D797api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-156034814DB1C25A092C39F251F29B2216api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-156CAE0B51E5EAD86EEA47C4068287650Aapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15451E324D3CB601E00FA041D6FDE1C4ECapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-159AEB3A097F11887D89EC08D337814B6Bapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-158F9F97232DBE283BC5E7B6AB4DD580B8api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15F57A08679380F3FDFD369528FE5CE854api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15F24BC22CFD12E3FDE40D06BF54F35CF1api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-154BB4C19B5FC2401D45845789CC761577api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15583432D95424EC051AFE9E621DC41ACAapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15C5756AC3FE61266D326B43E904BC1A6Capi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-1544012367D7FFA7845B59462952AB9014api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15FC506F023FF71E3ACDEE4449C43E5F1Bapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15322E11B552B897ADBC9ABCE51774988Eapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15EC0832E5818E4CD753C4B2675C6179A1api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-1563C37B2FEB0C0F71568B9771AC4DACE4api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-157BE4749D1D1F8950F7288C67A393B7F0api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15ADDF9E2B207AD9E89DB46E81A8121882api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-153E70DB4E5F5F60F2FDE7AEC38F4B30CDapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15268301147BC53722A898E1F38E6F026Dapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15309FB15C08861BC063C19C326A29AC98api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15422C1A2BC53F72CAE5435F7F5598BDFDapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1530A6C9DC574075C5EA47F17EA9392C47api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1537A9570400CB0C0CD4E5273AE3232EB5api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15E59BCA5EE865FE5789C96B20A43F9207api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15919C861E6A6ABF88045476D5D92A5DE1api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-155FD98DE177F158C31960BF80272F2535api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-159439AA18598643131B3F8DD9E69AB294api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15F66A06166B73391C4C7A7A58CC6CE66Capi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1579589FC33375A63BB44A8DE0B2B5DAF8api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-152C328EF3F2074D68729F329D4B2F8013api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1590E8FF73C7E78B99ABCD1FC22394F22Eapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15A3AEC401831AF6EF1C75AFB1C50D96DAapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1542C7C8719D33AFCF36DC7D5D2594EB5Bapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15375E51758336183B07CA7DBF771D2EF8api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15FA20E413002E17B938B2451552721027api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1509840FA1887528B20C98C408C8EB6E07api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-156AB2975E77EA4724FADF4CCB7250F0E9api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1551E7E34FFB5EF17FDE5FAFC5DF8F7212api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15F61E3F5ACFE1F861CECEA0A793D4F333api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15229236B39E92E629178419CB8A529E1Aapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15D299AD2A61F325F5DA56AE7674D2F77Dapi1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1553CA20232F358A9C256748403451EF14api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-1541BE96D1B3BDF9E48D97AE153D6EFD45api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15213E0B42AF7CF1D0DCB75E378CA93512api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif


RageBot Commands

 
CommandDescription
PINGCheck status
422Check status
433Redefine nick name
-sSilent mode
h 0f6969d7052da9261e31ddb6e88c136eUninstall bot.
h fd456406745d816a45cae554c788e754Download and run file
BotinfoSends botinfo
p2pStarts p2p spread, Copy itself into following location-
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
\Program Files\KAZAA
\Program Files\Morpheus\My Shared Folder\
\Program Files\BearShare\Shared\
\Program Files\ICQ\Shared Files\
\Program Files\Grokster\My Grokster\
\My Downloads\
commandsSends following list of commands
commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
rarwormScan for .rar files and copy itself into .rar archives with name as ?self-installer.exe?
disconnectDisconnect itself
b0tk1ller (off)Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names.
If parameter off is provided it stops the bot killer thread.
reconnectReconnects to the same server
reconnect.nextSame as reconnect since there is only one ip hardcoded in the bot.
nick (nickname)Sets nick name if nickname not provided that generates random nickname
restartRestarts itself
vncstopStop VNC scanning threads.
join (channel_name)Join mentioned channel
xplStarts vnc and ftp scanning threads.

Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai
 
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.