Home / malware Backdoor.EvilBot.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Backdoor.EvilBot.B.
Explanation :
This is a minor modification of Backdoor.EvilBot.B, which BitDefender detects since November 12th, 2002. This backdoor has two elements: an IRC bot and the backdoor itself. The IRC bot seems to be written in Romania; it takes girl names and joins busy Romanian channels, like #deva, #cluj, #sibiu, etc.
The bot actually has the capability to “talk” to the user; it offers to send a picture (which of course is the backdoor).
When the backdoor is first executed, it fetches the address of the RegisterServiceProcess API and uses it to register itself as a hidden task (under Windows 95/98 and ME only); then it creates a registry key for itself so it’s automatically executed at every Windows startup.
After that, the Backdoor connect to port 6667 (IRC) of the server eu.undernet.org, generates a random nickname and joins the channel #ucica. This channel is marked secret and to join this channel an user must have a special key.
The commands can be sent either by private message to a single user, or a message in the channel (those commands will be executed by all users). Available commands:
upd – updates the bot; this command always fails because the backdoor attempts to update itself from update.ur.address/thepath.exe; this address obviously doesn’t exist.
down – downloads a file from the web and execute it;
nick – changes the nick;
p1, p2, p3, p4 – floods an internet address (by ping commands);
msg – sends a trivial message to an user;
udp – UDP floods an internet address;
s – executes a file;
l – parts a channel;
j – joins a channel;
r – specify to an user a string like evilbot ready for attack...;
pwX – makes the users quit the channel and terminates the backdoor process; however, the file remains on disk and the registry entry is still there. On the next reboot, the backdoor will executed again.Last update 21 November 2011