GTBot Trojan Information and Advisory on IRC DDoS Bots

TrojanInfo.com
GTBot IRC DDos Trojan Information

GT Bot 32-Bit Color

This bot, once it loads script.ini, it searches for the hide.exe program. If that program is not found, the script terminates. It checks for pkunzip and FreeSexMovie.mpg.zip, and if not present it tries to restore them. The file FreeSexMovie.mpg.zip is send via dcc send over irc networks. It sets the nick and alt nick of the user from a random text picked from the info.dat file. Email and user is also set. These settings change on Exit. It sets the mIRC client to ignore private,notice,dcc,invite and codes, presumably to further avoid detection

Dropper File
FreeSexMovie.mpg.exe	741 KB	Discovered March 17, 2002

Files and Folders Dropped
c:\WINDOWS\SYSTEM\COLOR\32-bit Color	Folder	-
c:\WINDOWS\pkzip.exe	Size: 50,663 bytes	pkzip utility
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\Color6.exe	Size: 1,682,432 bytes	mIRC 5.91
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\Colorhelp.exe	Size: 50,663 bytes	pkzip utility
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\fix.bat	Size: 141 bytes	Microsoft Batch File
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\hide.exe	Size: 40,960 bytes	HideWindow Program
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\info.dat	Size: 3,457 bytes	script.ini Text File
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\mirc.ini	Size: 2,755 bytes	mIRC configuration file
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\remote.ini	Size: 137 bytes	mIRC configuration file
c:\WINDOWS\SYSTEM\COLOR\32-bit Color\script.ini	Size: 6,728 bytes	main mIRC Script

Before you make any changes to the registry, it is recommended that you first make a back up

Registry Keys Added
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Color Upgrade" Type: REG_SZ Data: c:\windows\system\color\32-bit color\Color6.exe

Registry Keys Changed
HKEY_CLASSES_ROOT\ChatFile\DefaultIcon "(Default)" Old data: "C:\MIRC\MIRC.EXE" New data: "c:\windows\system\color\32-bit color\color6.exe" HKEY_CLASSES_ROOT\ChatFile\Shell\open\command "(Default)" Old data: "C:\MIRC\MIRC.EXE" -noconnect New data: "c:\windows\system\color\32-bit color\color6.exe" -noconnect HKEY_CLASSES_ROOT\irc\DefaultIcon "(Default)" Old data: "C:\MIRC\MIRC.EXE" New data: "c:\windows\system\color\32-bit color\color6.exe" HKEY_CLASSES_ROOT\irc\Shell\open\command "(Default)" Old data: "C:\MIRC\MIRC.EXE" -noconnect New data: "c:\windows\system\color\32-bit color\color6.exe" -noconnect HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC "UninstallString" Old data: "C:\MIRC\MIRC.EXE" -uninstall New data: "c:\windows\system\color\32-bit color\color6.exe" -uninstall

Back to Links
Back to Top of GT Bot Information Page
Submit New bots to golcor@trojaninfo.com

Contents of info.dat:
Brad Zo Storm blessed Sally Nuke Daemon amir [GDI]Sista DB\|Gone Whoop [GDI]DethFrmAbv Brad skillet Marine Avalanche Daemon dark-away Nuke X-1 blueberry-pie raptor blewOUT{OQF} WargasM` ]R[doomweaver \snb\Ac1d beefboy Ice_Wolf iX-eupy \|4\|pk` aqwa i`son cm`NoccY Chipking` nb-murdock cK-mazE \|4\|kiln Whoop cK-spook v3-VeNoM UnKn\|SaTaN Cfc\|xAv1eR cK-montrey cK-killa cK-unforgiven type0 sG\|Disco soa\|longhair whor0x` [5]priMe_wrk EoD\|Smoke cK-novmode rB\|CurVe SouL-Cr][s][s iq`havok Ir8Pir8 ^kill^ diggZ \|Ka-Tu\| leg\out cd-SereneKaos ab-TrunkS cK-orb cK-fatal shootme guntha ChanServ Acid\| [dvp]InhumanE ]km[soulja __ ]km[deimos y0ta cK-czm B1rk`ZzZzZ `c`Grapple NE\|Cable dubious shewgie KungFoo nE\|BaKeR forge cad_Rich Exar AlDoLOVE gring0 `BoB` burgertime QMS\|superdave InduZzZ cyanide sHrooMsaLoT kfc-RAGULAT0R Dt-Hol {DigA}Doll \|VenoM\| friz revy_afk D\|S-Pheer0v rXn\|Helldemon xreal`z BLuNT darth cK-Demiurge nex-froggy`K od`east D\|S-Blunt mob\|Zarbin jurel Da_0CooL cres\|nohere ss-kremkill c\|utchc\|utch k^myzzeri plow Element AH\|LuC\|ZzZzz [xeno]KleaR TK^ cK-insano corrupt peer oreo f`godspeed fragz` ZeRo4 carnmode K`v3stek luluvid\|nite runik [xeno]stealth snb-sawedoff QMS\|Wrath Mr_Phrosty loverat suckergone stx-jonnyblaze cK-Sho\|work `pacman cK-mazE-o-rific Muddy1 K4H-Chaucer D\|S-Symovie rackboy MurK-Scorpi Lobsta rB\|gregK [NM]Concept [id]geoff [np]poppycock THE_DOT2 D\|S-BadSlinky jynx stx-bradd cliksta x17^tklown Infz0r milez Lord_Dirty-KT rdw519 \|s\|Slick iZ0MBi3 ]km[retrow cK-bloodshot cK-phatman ab-mess1ah \|4\|muiy trips [3g]spike\|bed TriK BT_partyin m\|drc sleeper`out woopsor [np]striker FrZ\|Deathwolf CPL\|Chris cK-matador ShoGun` ezt zN\|NeX D\|S-Apoztle xC\|styx1nator gen1ous Striker` Motard- CFC\|TOBY [xeno]Impreza`gone cK-crunchtime Bludshed miss\|away onedrop c5\|Sceptre tammer GotRice Zero cK-mojo Devl BunnyLove stayne`notdowntown dkphenom ]km[cugar [flux]torQ \|4\|tz1on D\|S-Slugs Ic3m4n du\|\|de JellyBell Okammaux SiGO knarkoo d0pest GSandwich GliMer_Ey evilclown rice-uk chod Jtc OigniteO ceaves- \|machine\| FiXiON FactorQ pun dexium Griphin SnaTcheR {SiC}- an0n[ZzZ] [MantiS] Buttstar- WoRdUp48 fenstr Da\|33t bagger- RLKyuss f81 slipperys sko7d locked muse PHZ-CUNT Qorny pimpaciou [Slasher] Nnag_42O Ashur- UGene GodChambe [\|Xeo\|]- Azash hiker- xaq-- Roots nick182 `woe jimmy_68` icekicker rec IceWizard [Psych] aland- Dollar pras- tweek goonar Eleeto everyone uG SiNNeRX RueMorgue hexus Arson sc0tt hojo bos SmAsH Chong0r QSleep akuma def00 `er \|SOB\| BenCode- JoLLyRoGr Winblowz Britain Poulton England- Blackpool wiggs_ vvviper\|a CpnHowdy mindless beezZa Point-1 bh3____ HotCarl Cjunky1 enriched druggy- ][KoRn][ CurryMan gamer08 Vegetto DiSLoCaTe Offspring AkAtS lam0chop iNDi GooK42 Chimaira Necro\|ZzZ bArriaM Trey shattered mahn du\|de xkewlguyx sbfly deftoned spoon^ Ted__ sH0rTzaIt DeAtH_AnG slippery2 ditch chokenchi FuManChuu n ` maggart schellh0 Zone Nimble RodeoMike [momar] Lixor madisa- liquid- apostata Melo-D \| Bastard- MaroW RasMG saturn21 blubwach DsrtNinja TheFonze cIvIcgone hico_zzz faggyg- PanterA- ubergod outlaws AhHa gaynewf tobes Ryche Maharahj Hewlett