Backdoor.EvilBot.B

Propagation : medium
Dégât : low
Size: 6688 bytes, packed with UPX (16924 bytes unpacked)
Détecté : 2003 Jun 30

SYMPTOMS:

  • Presence of the msgrt.exe file in the Windows folder

  • Presence of the following registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSGRT]

    which points to the file msgrt.exe in the Windows folder

  • Suspicious connections to port 6667 of the server:

    eu.undernet.org

    • TECHNICAL DESCRIPTION:

    This is a minor modification of Backdoor.EvilBot.B, which BitDefender detects since November 12th, 2002. This backdoor has two elements: an IRC bot and the backdoor itself. The IRC bot seems to be written in Romania; it takes girl names and joins busy Romanian channels, like #deva, #cluj, #sibiu, etc.



    The bot actually has the capability to “talk” to the user; it offers to send a picture (which of course is the backdoor).
    When the backdoor is first executed, it fetches the address of the RegisterServiceProcess API and uses it to register itself as a hidden task (under Windows 95/98 and ME only); then it creates a registry key for itself so it’s automatically executed at every Windows startup.

    After that, the Backdoor connect to port 6667 (IRC) of the server eu.undernet.org, generates a random nickname and joins the channel #ucica. This channel is marked secret and to join this channel an user must have a special key.



    The commands can be sent either by private message to a single user, or a message in the channel (those commands will be executed by all users). Available commands:

  • upd – updates the bot; this command always fails because the backdoor attempts to update itself from update.ur.address/thepath.exe; this address obviously doesn’t exist.

  • down – downloads a file from the web and execute it;

  • nick – changes the nick;

  • p1, p2, p3, p4 – floods an internet address (by ping commands);

  • msg – sends a trivial message to an user;

  • udp – UDP floods an internet address;

  • s – executes a file;

  • l – parts a channel;

  • j – joins a channel;

  • r – specify to an user a string like evilbot ready for attack...;

  • pwX – makes the users quit the channel and terminates the backdoor process; however, the file remains on disk and the registry entry is still there. On the next reboot, the backdoor will executed again.

    • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:

        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSGRT]

    4. Reboot the computer

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Backdoor.EvilBot.B.

    ANALYZED BY:

    Mihai Chiriac BitDefender Virus Researcher