GTBot IRC DDos Trojan Information

GT Bot Accessdiver

Interview with Lockdown | Main Page | Trojan List | NoHack | SwatIt | Submit a Trojan

This GT Bot Trojan installs all its files to c:\windows\system\fonts. It creates one registry key, but out side that, it does not alter any keys. It monitors IRC channels for text commands and executes different functions if the proper commands are entered in a channel the bot is present in. Mirc2.ini is responsible (among other functions) for writing and launching the pepsi.vbs file. The pepsi.vbs file in turn launches the Pepsi.exe DDOS tool. It also contains several text commands that will execute if typed into a channel. Mirc3.ini is a borrowed bnc script. It accepts connections from a remote client, has a bit of a security feature to prevent unauthorized use prevent unauthorized use by other hackers, and then allows the remote client to use that GT Bot as it's access to the IRC server the GT Bot Trojan is logged onto. Mirc.ini is the actual mirc.ini file, with a DDOS script included in it.

PR.INI sets up variables for the other scripts, it sets a login password and only accepts that password if the IP address contains "207.195.". it sets the GT Bot nick to a name picked from the temp.scr and appends a random number to it. The Trojan code reads //nick $read temp.scr $+ $r(1,9). PR.INI also has detection monitoring, and attempts to re-hide the GT Bot if it is discovered. It also searches for earlier GT Bot Trojans located in C:\WINDOWS\INF\g, C:\WINDOWS\web32\ and C:\WINDOWS\bero\ and if found, deletes all the bot files in those folders. It also contains various IRC DDOS routines.

Dropper File
Accessdiver.exe 625 KB Discovered March 17, 2002

Files and Folders Dropped
c:\WINDOWS\SYSTEM\fonts Folder -
c:\WINDOWS\SYSTEM\fonts\icmp.vbs Size: 108 bytes VBS script
c:\WINDOWS\SYSTEM\fonts\mirc.ini Size: 27,638 bytes mIRC configuration settings and mIRC script
c:\WINDOWS\SYSTEM\fonts\Mirc2.ini Size: 40,997 bytes mIRC script
c:\WINDOWS\SYSTEM\fonts\MIRC3.INI Size: 17,733 bytes mIRC script
c:\WINDOWS\SYSTEM\fonts\moo.dll Size: 90,112 bytes Unaltered version
c:\WINDOWS\SYSTEM\fonts\pepsi.exe Size: 12,288 bytes Pepsi DDOS tool version 1.6
c:\WINDOWS\SYSTEM\fonts\pepsi.vbs Size: 103 bytes VBS script written by Mirc2.ini and launches the Pepsi.exe DDOS tool
c:\WINDOWS\SYSTEM\fonts\PR.INI Size: 29,882 bytes mIRC script
c:\WINDOWS\SYSTEM\fonts\remote.ini Size: 1,556 bytes mIRC Remote.ini file
c:\WINDOWS\SYSTEM\fonts\TEMP.EXE Size: 446,464 bytes mIRC version 5.7
c:\WINDOWS\SYSTEM\fonts\Temp.scr Size: 73,303 bytes Text File, Referenced by mirc.ini, mirc3.ini, pr.ini. Contains 7,456 nicks
c:\WINDOWS\SYSTEM\fonts\TEMP2.EXE Size: 22,016 bytes Hide Window application
c:\WINDOWS\SYSTEM\fonts\WHVLXD.DAT Size: 55 bytes Registry Key Data
c:\WINDOWS\SYSTEM\fonts\WHVLXD.EXE Size: 24,576 bytes Registry Key Creator

Before you make any changes to the registry, it is recommended that you first make a back up

Registry Keys Added
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WHVLXD"
Type: REG_SZ
Data: c:\WINDOWS\SYSTEM\fonts\WHVLXD.exe

Registry Keys Changed
No keys altered

Back to Links
Back to Top of GT Bot Information Page
Submit New bots to