Pixelbot for auto lvling & hunting

Bott3RR007 was BANNED for posting (bot.exe) Backdoor.Win32.Optix.Pro.13!
Overview:

Quote:

Malware type: Backdoor

Aliases: Backdoor.Win32.Optix.Pro.13 (Kaspersky), BackDoor-ACH (McAfee), W32.HLLW.Gaobot (Symantec), BDS/Optix.Pro.13.30 (Avira), Troj/Optix-C (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No
Overall risk rating:
Low

--------------------------------------------------------------------------------

Reported infections:
Low
Damage potential:
High
Distribution potential:
Low

--------------------------------------------------------------------------------

Description:

This backdoor program sets up a server that listens to incoming TCP connections. Due to its highly configurable nature, the exact port that is uses may vary. Upon accepting a connection from a special client, it grants full control of the system to a remote malicious user.

It also attempts to connect to an IRC server and channel, acting like a bot and waiting for commands from a remote user.

It appends data in the HOSTS file, which prevents the user from accessing certain antivirus and security-related Web sites.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Technical Details:

Quote:

[Only registered and activated users can see links. Click Here To Register...]: 290,816 Bytes
[Only registered and activated users can see links. Click Here To Register...]: Dec 30, 2004
[Only registered and activated users can see links. Click Here To Register...]: Prevents user from accessing antivirus Web sites
[Only registered and activated users can see links. Click Here To Register...][Only registered and activated users can see links. Click Here To Register...]: Upon execution
[Only registered and activated users can see links. Click Here To Register...][Only registered and activated users can see links. Click Here To Register...]: Compromises system security
[Only registered and activated users can see links. Click Here To Register...][Only registered and activated users can see links. Click Here To Register...]: Upon execution
[Only registered and activated users can see links. Click Here To Register...]
Details:

Installation and Autostart Techniques
This backdoor program sets up a server that listens to incoming TCP connections. Due to its highly configurable nature, the exact port that is uses may vary. Upon accepting a connection from a special client, it grants full control of the system to a remote malicious user.
It also attempts to connect to an IRC server and channel, acting like a bot and waiting for commands from a remote user.
Upon execution, it drops the file WINLOGINS.EXE in the Windows system folder.
It creates the following registry entry to ensure its automatic execution at every system startup: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRunServices
winlogins.exe = "winlogins.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun
winlogins.exe = "winlogins.exe"

Backdoor Capabilities
This backdoor program allows a remote malicious user to perform the following on the compromised system:
Upload files

Execute files

Execute IRC commands

Log user keystrokes

Interfere with the user's activities.

Modifying HOSTS File
This worm also modifies the HOSTS file, which contains hostname to IP address mappings. The said file is usually located in the following folders:
� %System%driversetchosts
� %Windows%hosts
(Note: %System% is the Windows system folder, which is usually C:WINNTSystem32 on Windows NT and 2000, and C:WindowsSystem32 on Windows XP. %Windows% is the default Windows folder, usually C:Windows or C:WINNT.)
It appends data in the said file, which prevents the user from accessing any of the following Web sites:
avp.com

ca.com

customer.symantec.com

dispatch.mcafee.com

download.mcafee.com

f-secure.com

kaspersky.com

liveupdate.symantec.com

liveupdate.symantecliveupdate.com

mast.mcafee.com

mcafee.com

my-etrust.com

nai.com

networkassociates.com

rads.mcafee.com

secure.nai.com

securityresponse.symantec.com

sophos.com

symantec.com

trendmicro.com

update.symantec.com

updates.symantec.com

us.mcafee.com

viruslist.com

viruslist.com

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

These Web sites are usually related to security or antivirus companies. Other Details The backdoor program may also delete all files in the system whose names contain the string SOUND.