Home / malwarePDF  


First posted on 05 April 2015.
Source: SecurityHome

Aliases :

There are no other names known for ButterflyBot.A.

Explanation :

ButterflyBot.A is a bot worm whose purpose is to make the affected computer become a zombie, so that it can be remotely controlled and receive instructions from its creator without either the knowledge or consent of the user.

Once installed, it injects itself into the EXPLORER.EXE process, so that it is not executed as a suspicious process and can go unnoticed. Additionally, as the EXPLORER.EXE process has usually the Internet connection enabled, the bot can receive the instructions sent by its creador and bypass the firewall, if any were installed.

It can receive several instructions, like the following:

  • Download and run files, which woud allow it to install any type of malware in the computer. For example, it could install a Trojan designed to steal all type of passwords, implying a risk for the users confidential data.

  • Download updates of itself. This way, it could add new functionalities and change its behavior, making its detection more difficult.

  • Enable/disable the propagation through removable drives, instant messaging programs and P2P programs.

The following represents the main commands received by the bot with an explanation:
  • alinfiernoya : The bot is deleted

  • trinka (url): The file indicated in the URL is downloaded and run

  • pillaestenuevoya (url) : The bot is downloaded and updated

  • u1 : Enables the propagation through removable drives

  • u0 : Disables the propagation through removable drives

  • m1 : Enables the propagation via MSN Messenger

  • m0 : Disables the propagation via MSN Messenger

It is worth mentioning that the creator of the bot uses a particular Spanish language to name some of these commmands, like "alinfiernoya" ("to hell now") to delete the bot, "trinka (url)" "get (url)" to download a file from a certain URL, or "get this new one now (url)" to update the bot.

Additionally, it establishes connections with the following addresses from which it controls the type of command to be sent and the files to be downloaded to the affected computer:
  • butterfly.Biney.biz

  • bf2.sinip.es

  • bfis.sinip.es

  • laluau.sinip.es

  • thejackfive.mobi

These addresses use dynamic DNS servers, in order to modify at any moment the instructions sent by the bot creator and the files to be downloaded.

On the other hand, the program to create customized samples of this bot, which allow users to desing their own botnet, can be bought in the Internet.

The configuration options are the following:
  • Choose whether the copies of itself are polymorphic or not.

  • Connection ports to the server.

  • Delay until it is injected into the EXPLORER.EXE process to make its analysis more difficult.

  • Number of sendings via MSN Messenger.

  • Name of the file with which it is copied in the removable drives.

  • Autostart configuration of these removable drives./

Infection strategy
ButterflyBot.A creates a copy of itself with the name SYSDATE.EXE, in the path C:RECYCLER\%random value%. This file is a copy of the worm.

ButterflyBot.A creates the following entry in the Windows Registry in order to be run whenever Windows is started:
  • HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon
    Taskman = C:RECYCLER\%random value%sysdate.exe

Means of transmission
ButterflyBot.A uses several means to spread itself in order to infect as many computers as possible. Addtionally, the different means of propagation it uses to spread can be abled/disabled through certain specific instructions it can receive from the "Command and control center" of the botnet.

ButterflyBot.A spreads through removable drives, instant messaging programs like MSN Messenger and P2P programs.

1.- Removable drives
In order to do so, it makes copies of itself in the removable drives of the system, affecting the removable devices that are connected to the computer, like the USB keys.

Additionally, it creates an AUTORUN.INF file in these drives, so that the worm can be automatically run whenever the device is connected to a computer.

2.- MSN Messenger
It sends instant messages which contain a link from which a copy of the worm is downloaded to all the contacts of the affected user.

If the user runs the downloaded file, the computer will be infected by the worm.

3.- P2P programs
The worm created copies of itself in the shared folders belonging to several P2P programs using names of legitimate programs so that other users that are looking for this type of programs download and run them thinking it is a legal application.

Last update 05 April 2015