Nohack.Net

Information

>Trojan Horses

>Anti-Virus Precautions

>System Security

>Port Numbers & Services

>Windows Start-Up Methods

Tools & Instructions

>GT-Bot Removal

>VBS/Karma Worm Removal

>Aplore Worm Removal

>Nkie Worm Removal

>Blaster Worm Removal

Guides

>Recovering from a Security Breach

>Detecting & Removing Trojans

>Securing Your Network

>Identifying Malicious Scripts

 

W3C Validated CSS W3C Validated as HTML 4.01

GT or Global Threat Bots

DESCRIPTION:
GTbot stands for Global Threat bot. It is nothing more than a renamed mirc client (usually temp.exe) running in stealth mode. It utilizes the HideWindow program to enable it to run stealth, and can contain any number of mirc bot scripts. This Trojan is usually downloaded by users on IRC networks when they are tricked into thinking it is a cleaner, utility program. Sometimes users are even threatened to be banned from DALNet by those that have no such authority to do so.

Once installed the Trojan launches the stealth mirc joins a channel on an IRC network and awaits commands of the bot master. These bots are one of the key instruments in launching DDOS attacks to users on IRC. If we can eliminate these kinds of trojans, hackers world wide would be disarmed.

TECHNICAL DETAILS:
When the Trojan file is downloaded and run, it installs several files into either a folder it creates; or an existing windows folder. Most versions create temp.exe (mirc.exe), temp2.exe (HideWindow) and mirc.ini. In addition *.ini and *.txt files are created that serve as the scripts for the mirc client that the bot master can use to control the host computer.

GTBot adds a registry key similar to the one below to ensure it runs on every boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WHVLXD"
Type: REG_SZ
Data: C:\<folder gtbot is in>\WHVLXD.exe

It also modifies several mirc registry values similar to the keys below:

HKEY_CLASSES_ROOT\ChatFile\DefaultIcon "(Default)"
Old data: "C:\MIRC\MIRC.EXE"
New data: "C:\<folder gtbot is in>\TEMP.EXE"

HKEY_CLASSES_ROOT\ChatFile\Shell\open\command "(Default)"
Old data: "C:\MIRC\MIRC.EXE" -noconnect
New data: "C:\<folder gtbot is in>\TEMP.EXE" -noconnect

HKEY_CLASSES_ROOT\irc\DefaultIcon "(Default)"
Old data: "C:\MIRC\MIRC.EXE"
New data: "C:\<folder gtbot is in>\TEMP.EXE"

HKEY_CLASSES_ROOT\irc\Shell\open\command "(Default)"
Old data: "C:\MIRC\MIRC.EXE" -noconnect
New data: "C:\<folder gtbot is in>\TEMP.EXE" -noconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
"UninstallString"
Old data: "C:\MIRC\MIRC.EXE" -uninstall
New data: "C:\<folder gtbot is in>\TEMP.EXE" -uninstall

SOLUTION:
The easiest way to clean GTBot is to download lockdown's free scanning utility. See the resources section at the end of this document for the URL.

To clean manually, locate and delete the registry key it created. The mirc keys it modified are of not important and will not affect how your computer runs. After you delete the key you can either reboot your machine or "End Task" in task manager on the bot. The task is usually temp.exe. Once the bot is disabled you need to find where the bot is. To do that, locate a mirc.ini file in a place it is not supposed to be. If the bot created its own folder you can simply delete all the files in that folder and the folder. If the bot installed to a current windows folder like c:\windows\system, then you will have to identify what version of the bot you have and find the files which that bot creates to clean them all. To identify what version you have you can scan with swat it and it will tell you the version you have.

RESOURCES

> Swat-IT Trojan Detection and Removal Utility

> Lockdown Corp's Addition Information on GT Bots

> How-To Explaining How to Manually Find and Remove GT Bots