Log in | Back to darenet.org

GT-Bot Removal

m
 
Line 48: Line 48:
* [http://golcor.tripod.com/gtbot.htm How-To Explaining How to Manually Find and Remove GT Bots]
* [http://golcor.tripod.com/gtbot.htm How-To Explaining How to Manually Find and Remove GT Bots]
-
[[Category:Documentation]] [[Category:Exploits Prevention]]
+
[[Category:All]] [[Category:Exploits Prevention]]

Current revision as of 23:17, 29 December 2009

GTbot stands for Global Threat bot. It is nothing more than a renamed mirc client (usually temp.exe) running in stealth mode. It utilizes the HideWindow program to enable it to run stealth, and can contain any number of mirc bot scripts. This Trojan is usually downloaded by users on IRC networks when they are tricked into thinking it is a cleaner, utility program. Sometimes users are even threatened to be banned from DareNET by those that have no such authority to do so.

Once installed the Trojan launches the stealth mIRC, which joins a channel on an IRC network and awaits commands of the bot master. These bots are one of the key instruments in launching DDOS attacks to users on IRC. If we can eliminate these kinds of trojans, hackers world wide would be disarmed.

Technical Details

When the Trojan file is downloaded and run, it installs several files into either a folder it creates; or an existing windows folder. Most versions create temp.exe (mirc.exe), temp2.exe (HideWindow) and mirc.ini. In addition *.ini and *.txt files are created that serve as the scripts for the mirc client that the bot master can use to control the host computer.

GTBot adds a registry key similar to the one below to ensure it runs on every boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WHVLXD"
Type: REG_SZ
Data: C:\<folder gtbot is in>\WHVLXD.exe

It also modifies several mIRC registry values similar to the keys below:

HKEY_CLASSES_ROOT\ChatFile\DefaultIcon "(Default)"
Old data: "C:\MIRC\MIRC.EXE"
New data: "C:\<folder gtbot is in>\TEMP.EXE"

HKEY_CLASSES_ROOT\ChatFile\Shell\open\command "(Default)"
Old data: "C:\MIRC\MIRC.EXE" -noconnect
New data: "C:\<folder gtbot is in>\TEMP.EXE" -noconnect

HKEY_CLASSES_ROOT\irc\DefaultIcon "(Default)"
Old data: "C:\MIRC\MIRC.EXE"
New data: "C:\<folder gtbot is in>\TEMP.EXE"

HKEY_CLASSES_ROOT\irc\Shell\open\command "(Default)"
Old data: "C:\MIRC\MIRC.EXE" -noconnect
New data: "C:\<folder gtbot is in>\TEMP.EXE" -noconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC 
"UninstallString"
Old data: "C:\MIRC\MIRC.EXE" -uninstall
New data: "C:\<folder gtbot is in>\TEMP.EXE" -uninstall

Solutions

The easiest way to clean GTBot is to download lockdown's free scanning utility. See the resources section at the end of this article for the URL.

To clean manually, locate and delete the registry key it created. The mIRC keys it modified are of no importantance and will not affect how your computer runs. After you delete the key you can either reboot your machine or "End Task" in task manager on the bot. The task is usually temp.exe. Once the bot is disabled you need to find where the bot is. To do that, locate a mirc.ini file in a place it is not supposed to be. If the bot created its own folder you can simply delete all the files in that folder and the folder. If the bot installed to a current windows folder like c:\windows\system, then you will have to identify what version of the bot you have and find the files which that bot creates to clean them all. To identify what version you have you can scan with swat it and it will tell you the version you have.

Resources