GTBOT REMOVAL

#Contents:
#1. Introduction
#2. How can you get infected with GTBot?
#3. Technical details about GTBot
#4. Acknowledgments

—————-
#1. Introduction
—————-
GTBot stands for Global Threat Bot. GTBot is like a normal mIRC client; The Difference is that GTBot is running by itself,
has pre-made scripts inside the client whitch allows the owner of the GTBot to control it. If a person can control another mIRC client
he can start spamming, ddosing, flooding and many other harmful things.
GTBot was writen by Sony, mSg and DeadKode in the 1999’s.
—————————————-
#2. How can you get infected with GTBot?
—————————————-
This Trojan is usually downloaded by users on IRC Networks when they are tricked into thinking it is a cleaner, utility program. Also you
can get infected if you download bogus files from the internet. In my experience of all this time in #dmsetup I’ve been dealing with a lot of victims
that downloaded files for cracking or hacking passwords and got infected by GTBot. There are numerious ways of getting infected, the best way to stay
clean is to think twice before you download something, check from who are you downloading and also ask your self if you can trust that source.

———————————
#3. Technical details about GTBot
———————————
When GTBot is downloaded into a victims client it installs several files into either a folder it creates or in an existing windows folder.
Most GTBots installs files like defchan.ini, a bogus .exe file like temp.exe, temp2.exe, cvzhost.exe or lots of other names. GTBot has lots of versions
because the code is very easy to edit. In my time of helping I had a rate like 1 out of 3 victims had a version of GTbot that i haven’t seen before.
In 95% of cases GTBot is installed in windows folders. Examples of GTBot paths: “c:\Windows\SYSTEM\WFW\tmp\”, “c:\Windows\System\UPD\”,
“c:\WINDOWS\SYSTEM32\DRIVERS\via\dll\” and the list can go on.
Other then the “.ini”, “.txt”, “.dll” or “.exe” files the GTBot also installs a regestry keys in the windows startup keys. The regkey is used for running
the “.exe” every time the victim turn’s on his pc. The regkey of GTBot is located in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].
an example of a regkey could be:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“cvzhost”=C:\Windows\system32\dll\cvzhost.exe
“Mirc”=”C:\\Windows\\system.exe”
“WindowsChecker”=”C:\\Windows\\parali\\runserv.exe”
In all version of GTBots even if u know the version or its new the GTBot will ALWAYS contain a mirc.ini file in the GTBot path. That means it can be located
by searching the mirc.ini thru Windows folders.

——————
#4. Removal Steps
——————

First send this command: //say $exists(C:\WINDOWS\defchan.ini) – $exists(C:\WINDOWS\remote.ini) – $exists(C:\Windows\users.ini)
If there is any $true answer, play it in the backchannel and read it, you will find some interesting things there.
Remember, Windows is a legit folder, so you cannot delete the entire folder, you will need to delete manually the .exes, .inis, .icos, or every bad file that you see.
You can take an idea of what files could you find in the Windows folder, reading the mirc.ini, play it in the backchannel(#virusfree) and you will find some files used by the gtbot, like:
[files]
servers=servers.ini
finger=finger.txt
urls=urls.ini
addrbk=addrbk.ini
trayicon=vx.ico
[pfiles]
n0=popups.ini
[rfiles]
n0=remote.ini
n1=remote.ini
n2=bear.txt
[afiles]
n0=aliases.ini
You see that, servers.ini, finger.txt, urls.ini, addrbk.ini, vx.ico, etc are the files in use by the gtbot, you can play them in the backchannel or just remove them, they will be on C:\Windows\
Now you need to find the .exe’s running, you can check them out, checking the registry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The command is:
//run regedit /a c:\regfix.reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | !say Done
And
//run regedit /e c:\regfix.reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | !say Done For 98/ME
Now you just need to play the C:\regfix.reg to the backchannel.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=”RTHDCPL.EXE”
“SkyTel”=”SkyTel.EXE”
“Alcmtr”=”ALCMTR.EXE”

“NeroFilterCheck”=”C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe” “DAEMON Tools”=”\”C:\\Program Files\\DAEMON Tools\\daemon.exe\” -lang 1033″
“IgfxTray”=”C:\\WINDOWS\\system32\\igfxtray.exe”
“HotKeysCmds”=”C:\\WINDOWS\\system32\\hkcmd.exe”
“Persistence”=”C:\\WINDOWS\\system32\\igfxpers.exe”
“WinampAgent”=”\”C:\\Program Files\\Winamp\\winampa.exe\””
“Mirc”=”C:\\Windows\\system.exe”
“WindowsChecker”=”C:\\Windows\\parali\\runserv.exe”

Now using google, we can check what files are good or bad, in this case just by the location we can define which one is bad, we got two:
“Mirc”=”C:\\Windows\\system.exe”
“WindowsChecker”=”C:\\Windows\\parali\\runserv.exe” Now let’s first remove the files
The files are running, so we can’t delete the files just using the remove command, we need to kill the proccess and then check the attributes.
The command to kill the proccess is: //!run cmd /c taskkill /f /im system.exe /t | say d0n3 *Change cmd for command in 98/ME*
Once the proccess was killed, let’s check the file attributes: //say $file(C:\Windows\system.exe)
We can get something like: ahrs
Where r stands for: Read-Only
h for: Hidden
s for: System
a for: Archive
So we need to remove the attributes using the command: //!run cmd /c attrib -r -h -s C:\Windows\system.exe | !say D0n3
We can delete the file: //!remove C:\Windows\system.exe | !say $exists(C:\Windows\system.exe) if the answer is $false we’re done with this file.
Now we need to do the same with the file: C:\Windows\parali\runserv.exe
Once we have removed both, we need to edit the registry.
//!write -c c:\regfix.reg | !write c:\regfix.reg REGEDIT4 | !write c:\regfix.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] | !write c:\regfix.reg “Mirc”=- | !write c:\regfix.reg “WindowsChecker”=- | say d0n3
Now we need to import it using the command: //!run regedit /s c:\regfix.reg | say d0n3
We have finished with the regedit, see? isn’t that hard, is easy! but we still need to delete one gtbot.
C:\WINDOWS\parali\mirc.ini
As you can see parali isn’t a legit windows folder, so won’t be a problem if we remove all the folder, we can check all the files inside the folder using this command:
//!say $findfile(C:\WINDOWS\parali\,*.*,*, write c:\suspect.txt File: $1- Size: $bytes($file($1-).size,k).suf)
Now you need to play the c:\suspect.txt in the backchannel.
Then you can delete all the files and folder inside manually or with a command like: //say $findfile(C:\WINDOWS\parali\,*.*,*,remove $1-)
Using that command you will get a number, that number is the files still in the folder, repeat the command until get 0 if you still get a number like 2, check what file is missing to be removed with:
//!say $findfile(C:\WINDOWS\parali\,*.*,*, write c:\suspect.txt File: $1- Size: $bytes($file($1-).size,k).suf)
Play the c:\suspect.txt again, and delete the 2 missing files manually(remember, kill processes, check attributes)
When you have finished, just remove the folder //!rmdir C:\WINDOWS\parali\ | say d0n3 Will do the trick.
Again send the //say $findfile(C:\,mirc.ini,0,msg #virusfree $1-) file command to check if is all.
You must get this answer:
C:\Program Files\mIRC\mirc.ini