I was browsing around rizon(irc) and got a pm from a bot sending me to a link with a .exe file claiming it to be "hacking tools"
naturally i was skeptical about the exe so i downloaded it to have a look. turned out the exe was packed with upx which is easy to unpack so i downloaded upx.exe and unpacked it.
i installed it on a virtual machine(vmware) and checked it out.
it copied 2 files - "Soundmax.exe" (a modified mirc.exe) and "mirc.ini" (not exactly discreet is it?)
well i closed soundmax.exe and setup my packet sniffer then restarted the soundmax.exe file
i noticed it was connecting to an ip address (216.***.***.***) which was forwarding me onto irc.webchat.org on port 6667
i then noticed it set the modes +ixMn and changed the nick to "kashmin||523457"
once the nick had changed it sent a notice to a user called abart telling him the commands which where:
!joinchan
!partchan
!close (rehash)
!morebot (create clones)
!helpflood
and !bosscontrol
Upon looking at some of the files i noticed that the bot only listens to commands from users with the nick "abart" or "asscrewz"
I connected to the irc network and joined the channel. There was about 50 bots in there at the time (including myself).
I did a whois on abart and noticed he was online and was an @/+ in a few channels (including a help channel funnily enough)
I then whois'd asscrewz and noticed he was offline so i changed my nick to asscrewz and tried out some of the commands which worked successfully.
I soon got bored investigating this bot as it was pretty lame and basic with very little commands. Since it didn't have a !remove command i reported the bots/channel and owner to an oper who klined all of the bots.
the files are stored in "C:\Windows\Drivers\Firewall" and the main executable is "soundmax.exe"
Just a little information for anyone who comes across this bot (although it's unlikely because it seems to be unpopular and just manual infections etc.)
