GT Bot Accessdiver
Interview with Lockdown | Main Page | Trojan List | NoHack | SwatIt | Submit a Trojan
This GT Bot Trojan installs all its files to c:\windows\system\fonts. It creates one registry key, but out side that, it does not alter any keys. It monitors IRC channels for text commands and executes different functions if the proper commands are entered in a channel the bot is present in. Mirc2.ini is responsible (among other functions) for writing and launching the pepsi.vbs file. The pepsi.vbs file in turn launches the Pepsi.exe DDOS tool. It also contains several text commands that will execute if typed into a channel. Mirc3.ini is a borrowed bnc script. It accepts connections from a remote client, has a bit of a security feature to prevent unauthorized use prevent unauthorized use by other hackers, and then allows the remote client to use that GT Bot as it's access to the IRC server the GT Bot Trojan is logged onto. Mirc.ini is the actual mirc.ini file, with a DDOS script included in it.
PR.INI sets up variables for the other scripts, it sets a login password and only accepts that password if the IP address contains "207.195.". it sets the GT Bot nick to a name picked from the temp.scr and appends a random number to it. The Trojan code reads //nick $read temp.scr $+ $r(1,9). PR.INI also has detection monitoring, and attempts to re-hide the GT Bot if it is discovered. It also searches for earlier GT Bot Trojans located in C:\WINDOWS\INF\g, C:\WINDOWS\web32\ and C:\WINDOWS\bero\ and if found, deletes all the bot files in those folders. It also contains various IRC DDOS routines.
| Accessdiver.exe | 625 KB | Discovered March 17, 2002 |
| c:\WINDOWS\SYSTEM\fonts | Folder | - |
| c:\WINDOWS\SYSTEM\fonts\icmp.vbs | Size: 108 bytes | VBS script |
| c:\WINDOWS\SYSTEM\fonts\mirc.ini | Size: 27,638 bytes | mIRC configuration settings and mIRC script |
| c:\WINDOWS\SYSTEM\fonts\Mirc2.ini | Size: 40,997 bytes | mIRC script |
| c:\WINDOWS\SYSTEM\fonts\MIRC3.INI | Size: 17,733 bytes | mIRC script |
| c:\WINDOWS\SYSTEM\fonts\moo.dll | Size: 90,112 bytes | Unaltered 4.0.2.65 version |
| c:\WINDOWS\SYSTEM\fonts\pepsi.exe | Size: 12,288 bytes | Pepsi DDOS tool version 1.6 |
| c:\WINDOWS\SYSTEM\fonts\pepsi.vbs | Size: 103 bytes | VBS script written by Mirc2.ini and launches the Pepsi.exe DDOS tool |
| c:\WINDOWS\SYSTEM\fonts\PR.INI | Size: 29,882 bytes | mIRC script |
| c:\WINDOWS\SYSTEM\fonts\remote.ini | Size: 1,556 bytes | mIRC Remote.ini file |
| c:\WINDOWS\SYSTEM\fonts\TEMP.EXE | Size: 446,464 bytes | mIRC version 5.7 |
| c:\WINDOWS\SYSTEM\fonts\Temp.scr | Size: 73,303 bytes | Text File, Referenced by mirc.ini, mirc3.ini, pr.ini. Contains 7,456 nicks |
| c:\WINDOWS\SYSTEM\fonts\TEMP2.EXE | Size: 22,016 bytes | Hide Window application |
| c:\WINDOWS\SYSTEM\fonts\WHVLXD.DAT | Size: 55 bytes | Registry Key Data |
| c:\WINDOWS\SYSTEM\fonts\WHVLXD.EXE | Size: 24,576 bytes | Registry Key Creator |
Before you make any changes to the registry, it is recommended that you first make a back up
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WHVLXD" Type: REG_SZ Data: c:\WINDOWS\SYSTEM\fonts\WHVLXD.exe |
| No keys altered |
Back to Links
Back to Top of GT Bot Information Page
Submit New bots to golcor@trojaninfo.com