A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4447  by EP_X0FF
 Fri Jan 14, 2011 1:25 pm
This is 3vBot v1.1 IRC based backdoor with USB autorunner part and some primitive VM detection on board.
PRIVMSG [BOTKILLER]: Killed %d bots. %temp%\* %appdata%\Microsoft\* %appdata%\* %public%\* Software\Microsoft\Windows\CurrentVersion\Run \ exe \* .. . [DDoS]: DDoS Complete. %s IP %s Port %s for %d seconds. [DDoS]: DDoS Underway. [DDOS]: Network failure. [DDOS]: Erroneous or missing parameters. Destination unreachable. Aborting. %s %s IP %s Port %s for %d seconds with %d delay. %s Port %d. [DDOS]: Failed to initialize the necessary networking functions. [DOWNLOAD]: Error resolving DNS, or perhaps there is something wrong with your URL? ErrCode: %d [DOWNLOAD]: Download Succeeded. [DOWNLOAD]: Download succeeded. Process successfully started. [UPDATE]: Updating... [DOWNLOAD]: Download succeeded but process failed to start. Error Code: %d [DOWNLOAD]: Failed to create output file. / [DOWNLOAD]: Not enough arguments supplied. QUIT [STATUS]: Switching Server. [STATUS]: I am currently on that server. [STATUS]: Incorrect server number. explorer.exe [STATUS]: Uninstalling... VlRJNWJXUklaR2hqYlZaaldFVXhjRmt6U25aak1qbHRaRVo0WTFSRlRreE5VVDA5 VlRJNWJXUklaR2hqYlZaaldFVXhjRmt6U25aak1qbHRaRVo0WTFSRlRreFZhMVpWVFZFOVBRPT0= [UPTIME]: %d weeks, %d days, %d hours, %d minutes, %d seconds [VISIT]: Visit successful. [VISIT]: Visit failed. Generic Error. open U1RGb2J HTnRPRDA9 VG1wWk1 rNTNQVDA9 %s%s VFZSak5FeHFSVEpOY VRSNFRsUkZkVTFxU1RNPQ== VjBkV2VXSXdSbXRpVjJ4MQ== VVcwNU5BPT0= VW0wNWNtUllUVDA9 Surreal 8 * :Endless ERROR: ERROR 451 433 332 JOIN 001 :!spread.msn PONG PING аQA .H :%s!%s@%s PRIVMSG %s :%s | botkiller stealer spread.msn spread.rarzip [DDoS]: DDoS attack cancelled. ddos.stop ddos.ssyn ddos.tcp ddos.udp uptime off silence usort # sort visit [USB]: Thread Not Running. [USB]: Thread Stopped. spread.usb.stop [USB]: Thread Started. [USB]: Thread Running. spread.usb update-md5 update uninstall download-md5 download server [3vBot]: Version v1.1 FULL version NICK newnick [STATUS]: Quitting. quit PART part join TOPIC PASS USER [%s][%s][%d] [%s][%s][%d] [N][%s][%s][%d] [NU][%s][%s][%d] U true N NA Vista 2008 2003 XP 7 ProductName SOFTWARE\Microsoft\Windows NT\CurrentVersion NOTICE :STAYALIVE02x rb [MSN]: MSN not installed or no contacts available. [MSN]: Successfully sent message to %d contacts. Infected Drive autorun.inf [autorun] ShellExecute= .exe * Infected %d Archives %appdata%\..\* \WinRAR\rar.exe %programfiles% %programfiles%\WinRAR\rar.exe " " a -ep -y rar [STEALER]: Your version does not include the stealer. Mozilla/4.0 (compatible) del Windows Security %appdata%\ VkVWT1RFMVJQVDA9 :\ 3v

SYSTEM\ControlSet001\Enum\IDE\DiskVirtual_HD______________________________1._1____ SYSTEM\ControlSet001\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____ SYSTEM\ControlSet001\Enum\IDE\CdRomVBOX_CD-ROM_____________________________1.0_____ dbghelp.dll SbieDll.dll 55274-640-2673064-23950 76487-644-3177037-23510 76487-640-1457236-23837 ProductId


here is video presentation
http://www.youtube.com/watch?v=ghGzsWR3E58
http://www.youtube.com/watch?v=BsOIWnX-pXU
 #4449  by kmd
 Fri Jan 14, 2011 5:02 pm
sorry bit offtop..
what is the song name in a first video? sounds familiar
 #4450  by EP_X0FF
 Fri Jan 14, 2011 5:09 pm
kmd wrote:sorry bit offtop..
what is the song name in a first video? sounds familiar
Pendulum - Hold your colour