DB.exe (SystemUpgrade.exe)

Verdict: kind of boring so far

After a successful abuse of the flawed VNC 4.1.1 a file called DB.exe is ftp'd in from ftpd.xbytez.com.ar and executed. The logging into the ftp server is plaintext, so I had a quick look if anything else was available here, and there is. See for yourself (if it's still running): ftp://ftpd.xbytez.com.ar:21 (The user name is B0t and the password is _A 159753b)

There's a whole little directory out there with choice virii: c.exe, DB.exe, DN.exe, GET OUT.txt, KILLER.exe, N.exe, PI.exe, PIC.exe and PIN.exe. (I like the get out.txt: Hmm, that really helps! No doubt there's a script that will collect IP's of vistors to DDoS them later...

GET 0ut holmes hahaha 0wned? just a friendly msg to av companys: FUCK U

The first thing DB.exe does is run 9.exe from the temp directory. This is followed by SystemUpgrade.exe which is now installed in Program Files\Common Files\System. Next run is 8.exe, from temp again, and lastly bt1354.bat. The VNC server is switched off and uninstalled (the program assumes only the service-mode vnc is running). Next up is connection with an IRC server. This one is 220.128.233.154 on port 7776, which belongs to HINET.NET in Taiwan (Chunghwa Telecom Data Communication Business Group according to the whois).

The first command received from the C&C is to kill any other bots that might be running, in my case quite a few:

PRIVMSG #info :Botkiller thread started. :irc666.org 403 W1-n8d2 #info :No such channel PRIVMSG #info :Bot killed and removed: C:\WINNT\system32\regsvc.exe (pid: 572)! :irc666.org 403 W1-n8d2 #info :No such channel PRIVMSG #info :Bot killed and removed: C:\WINNT\system32\mstask.exe (pid: 580)! :irc666.org 403 W1-n8d2 #info :No such channel PRIVMSG #info :Can not delete: C:\WINNT\system32\explorer.exe (pid: 724)! :irc666.org 403 W1-n8d2 #info :No such channel PRIVMSG #info :Bot killed and removed: C:\WINNT\system32\internat.exe (pid: 888)! :irc666.org 403 W1-n8d2 #info :No such channel PRIVMSG #info :Bot killed and removed: C:\WINNT\system32\explorer.exe (pid: 300)! :irc666.org 403 W1-n8d2 #info :No such channel

All the bots on the server are scanning merrily away for vulnerable VNC servers, or ones with easily-guessed passwords, and when these are found report into the channel. The SystemUpgrade executable contains a list of the passwords that are tried:

love boobs porn pass high server ftp dell duck master owner register passwdtosilentvnc paper money cool kool kkk bass helpme tom bobnob bob ryan pimpin jesus god coke weed cracker crack whore shit fuck bitch leet password admin root cam comp computer change changeme test testing sex sexy pimp help monkey qwerty abcdefgh abcdef abcde abcd abc

Apart from scanning merrily away, there is also a backdoor opened on port 12041. This turns out to be an ftp server, with username Jav0 and password _A159753cd, which responds to connection with "220 Hello!" -- very friendly, but every going ftp command seems to just have no effect beyond "500 Command Not Supported" despite having several responses hard-coded into the executable. Maybe I'm not asking nice enough?

Having ensured that the scanning isn't going anywhere and port 12041 is forwarded to the right machine, I'll just leave this thing be for now. After all, it's killed off my interesting Romanian thing that wasn't doing very much either...