Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

IRC Botnets Alive, Effective & Evolving

NIRMAL SINGH

April 23, 2015 - 16 Lesezeit: Min

Security Insights

Inhalt

Article
Weitere Blogs

Introduction

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.

In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.

DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:

api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif (Check APPENDIX section for additional info.)

The malware executable checks for two command line arguments

"-aav_start" - It terminates
"–shell" - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running

If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions.

It first injects a thread into svchost.exe and performs the following actions:

Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:

DorkBot - Hardcoded Domains

The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.

DorkBot - memory strings

It also creates a remote thread in the “calc.exe” process that performs the following actions:

Creates a mutex with the name “c731200”
Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.
It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:

DorkBot- Random file names

All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.

DorkBot - Encrypted URLs

DorkBot - Pseudocode of decryption function

Below is the full list of URLs from from where it tries to download additional malware:

URL
http://api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
http://api2[.]wipmania[.]com[.]wipmsc[.]ru/api2.gif
http://api3[.]wipmania[.]com[.]wipmsc[.]ru/api3.gif
http://api4[.]wipmania[.]com[.]wipmsc[.]ru/api4.gif
http://api5[.]wipmania[.]com[.]wipmsc[.]ru/api5.gif
http://api6[.]wipmania[.]com[.]wipmsc[.]ru/api6.gif
http://api7[.]wipmania[.]com[.]wipmsc[.]ru/api7.gif
http://api8[.]wipmania[.]com[.]wipmsc[.]ru/api8.gif
http://api9[.]wipmania[.]com[.]wipmsc[.]ru/api9.gif
http://api[.]wipmania[.]com[.]fowd[.]ru/api.gif
http://api[.]wipmania[.]com[.]selfmg[.]ru/api.gif
http://api[.]wipmania[.]com[.]lotus5[.]ru/api.gif
http://api[.]wipmania[.]com[.]wipmania[.]ru/lkwaxd.gif
http://api[.]wipmania[.]com[.]lotys[.]ru/vjojai.gif
http://api[.]wipmania[.]com[.]bwats[.]ru/ofjtme.gif
http://api[.]wipmania[.]com[.]stcus[.]ru/apsphv.gif
http://api[.]wipmania[.]com[.]cmoen[.]ru/zkmchm.gif
http://api[.]wipmania[.]com[.]artbcon3[.]ru/frflec.gif
http://api[.]wipmania[.]com[.]yeloto[.]ru/zwfmwd.gif
http://update[.]wipmania[.]com[.]raulhost[.]ru/logo.gif

DorkBot

Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:

Capable of spreading via chat messengers, USB drives, & social networking sites
Supports multiple Distributed Denial of Service (DDoS) attack types
Capable of stealing login credentials for multiple HTTP and FTP sites
Blocks security update related websites to evade detection
Capable of downloading, installing and uninstalling other malware payloads

RageBot, Phorpiex, and IRCBot.HI Analysis –

From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–

URL	MD5	Malware Name
Ernsthaft[.]su/ert[.]exe	6C738D0A737D16C87EB40C24C5F594A6	IRCBot.HI
Mslighton[.]net/uploads/io[.]exe	C73DBA5827728EEAC59951B14AB329F4	RageBot
Colorfashionbox[.]com/u[.]exe	F919C902AC07AF339BBD753E6EFF89C7	Phorpiex
Dumanfun[.]com/t[.]exe	DBC477DF90D4ECB37B698C571DE90D11	Phorpiex

In addition to IRC based C&C communication, all these bots have following similarity in their operation:

1. Checks execution environment - Virtual Environment, Honeypot or Sandbox

RageBot - Check via Username

As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.

Phorpiex - Check via DLL name

Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.

IRCBot.HI - Check via DLL & Product IDs

It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.

2. Creates Mutex

RageBot – It creates a mutex with name “ie”

RageBot - Mutex

Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”.

Phorpiex - Mutex

IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber>

IRCBot.HI - Mutex

3. Installation

RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.

RageBot – Building installation path

If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.

Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.

Phorpiex – Pseudocode of Installations function

It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.

IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe.

IRCBot.HI – Installing in different locations

4. Adding autostart feature using Run registry key.

RageBot – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”

Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”

IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”

IRCBot.Hi – RunOnce Entry

5. Adding itself to Windows Firewall trusted application list

All these bots add themselves to the Windows Firewall’s exception list by modifying the key

"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"

6. Propagation method

RageBot –

It copies itself to the following P2P & Instant messenger application folders for spreading
- \Program Files\LimeWire\Shared
- \Program Files\eDonkey2000\incoming
- \Program Files\KAZAA
- \Program Files\Morpheus\My Shared Folder\
- \Program Files\BearShare\Shared\
- \Program Files\ICQ\Shared Files\
- \Program Files\Grokster\My Grokster\
- \My Downloads\
It also searches for RAR files and copies itself inside them.

Phorpiex –

A. Creates a shortcut in a removable device

It checks for all removable devices
Copies itself with a different name
Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
Hides the malicious file and folder by setting a hidden attribute for both

Phorpiex - Creating Shortcuts

B. Creates an autorun.inf file in removable devices to autorun the malicious file

Checks for all removable devices.
Copies itself with a name of windrv.exe
Creates an autorun.inf file to autorun the malicious file

Phorpiex - Creating autorun.inf file

IRCBot.HI -

We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype.

IRCBot.HI - Skype inject related string

7. IRC based Command & Control communication

All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.

RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:

RageBot - C&C Communication

You can find full list of C&C commands in the appendix section.

Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:

NICK `|USA|hihdlxu

USER x "" "x" :x

Some other commands:

001 -> Sends JOIN #b message to server

PING -> Checks status

.j <channel name> - > Join given channel

bye -> Uninstall bot

Phorpiex - C&C Communication

IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667.

Upon successful connection, it sends the following IRC commands:

PASS ddos

USER <8 char string> <1 digit number> * :<8 char string>

NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>

JOIN #PlanB

Below is a sample of the C&C communication for this bot:

IRCBot.HI - C&C Communication

Conclusion
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.

Appendix

DorkBot installer URLs and MD5

TIME	MD5	URL
Jan-15	E49B3EF80FF4DB4DB1D5220930EC7DAD	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	CC9D72663D2495779B0C81AEE34592E7	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	A98472BCAA010433A80410C3483C90E1	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	EEFC72EFFD96FFD11EC2D69CD6248AC5	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	4E7149C1401F5A0BC34E3AAD6070F4BE	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	5B14C029570F40BDDC73669FE4EFEFB0	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	4C54D366B04F9980F038CB6FC62603D0	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	6E4282023D6A19B27C30DB5D54CEE32C	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	E7B61B2BE23167965079468DF36497EF	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	DC8CBA3F91A34F0D1EFA79BE4495B305	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	8AAD291926335F28B4402830252556F7	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	8036A36C372602CFA049996B9F5BD6AE	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	8036A36C372602CFA049996B9F5BD6AE	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	7257FD6F90B5AA9BB249EA74B764A401	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	B186525826856E881E879C6C44BB2452	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	220188F1BD2E10BA0751383EA0946DBA	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	2DB9BD0ABD99F3285721D358A6816737	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	EBEB072B8336F5FD35328227A60B271C	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	01303BEFE5938C3C748C4E058A8A6AE9	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	82E2CA09BDEB3ABF8B70D848F66793E7	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	0B2E7AE8DF2ADA1E86A3A25FC248C6FE	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	430560EBD3BE6A680BFA6409F332585B	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	F79AF05D9B43F99EB6FC64DA2C129F67	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	384252746FAFF8D264E6A8CA450B6301	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	C9636239ED698834CABA78E1F9F8DB0F	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	9C42746376CC7D265D6BF554B960EDE2	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	67B08BF0F2C89DE4E0D1C36BAF7193B9	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	735B6602B4BD1D71246F43642D6873AA	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	7D9AF61AE962443D586BFC8A86100B5F	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	05ABC48A4BEE624D7952954CF14F699D	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	FF638ACA7D8D10ED8AD2DE1BC333123D	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	AA4085182E8F10FEC8EBC3F6D3612321	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	1A54593E7C82DD1B16B7626FCB211DA1	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15	235E67A88907DA68BFBB9264A00A31E3	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	2CBD9428DEE885C30258BF0C38299138	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	CCDC5EC2085536160813658BE549F0B6	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	CBD732F87901EE03820DBA41D0D2895A	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	BE5E43F2786D628B7AA8689C2108247D	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	5AEC4A3B3E0AEB3B13B98086FC81D797	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	6034814DB1C25A092C39F251F29B2216	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	6CAE0B51E5EAD86EEA47C4068287650A	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	451E324D3CB601E00FA041D6FDE1C4EC	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	9AEB3A097F11887D89EC08D337814B6B	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	8F9F97232DBE283BC5E7B6AB4DD580B8	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	F57A08679380F3FDFD369528FE5CE854	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	F24BC22CFD12E3FDE40D06BF54F35CF1	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	4BB4C19B5FC2401D45845789CC761577	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	583432D95424EC051AFE9E621DC41ACA	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	C5756AC3FE61266D326B43E904BC1A6C	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	44012367D7FFA7845B59462952AB9014	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	FC506F023FF71E3ACDEE4449C43E5F1B	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	322E11B552B897ADBC9ABCE51774988E	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	EC0832E5818E4CD753C4B2675C6179A1	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	63C37B2FEB0C0F71568B9771AC4DACE4	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15	7BE4749D1D1F8950F7288C67A393B7F0	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	ADDF9E2B207AD9E89DB46E81A8121882	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	3E70DB4E5F5F60F2FDE7AEC38F4B30CD	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	268301147BC53722A898E1F38E6F026D	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	309FB15C08861BC063C19C326A29AC98	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	422C1A2BC53F72CAE5435F7F5598BDFD	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	30A6C9DC574075C5EA47F17EA9392C47	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	37A9570400CB0C0CD4E5273AE3232EB5	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	E59BCA5EE865FE5789C96B20A43F9207	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	919C861E6A6ABF88045476D5D92A5DE1	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	5FD98DE177F158C31960BF80272F2535	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	9439AA18598643131B3F8DD9E69AB294	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	F66A06166B73391C4C7A7A58CC6CE66C	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	79589FC33375A63BB44A8DE0B2B5DAF8	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	2C328EF3F2074D68729F329D4B2F8013	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	90E8FF73C7E78B99ABCD1FC22394F22E	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	A3AEC401831AF6EF1C75AFB1C50D96DA	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	42C7C8719D33AFCF36DC7D5D2594EB5B	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	375E51758336183B07CA7DBF771D2EF8	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	FA20E413002E17B938B2451552721027	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	09840FA1887528B20C98C408C8EB6E07	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	6AB2975E77EA4724FADF4CCB7250F0E9	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	51E7E34FFB5EF17FDE5FAFC5DF8F7212	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	F61E3F5ACFE1F861CECEA0A793D4F333	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	229236B39E92E629178419CB8A529E1A	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	D299AD2A61F325F5DA56AE7674D2F77D	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	53CA20232F358A9C256748403451EF14	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	41BE96D1B3BDF9E48D97AE153D6EFD45	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15	213E0B42AF7CF1D0DCB75E378CA93512	api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif

RageBot Commands

Command	Description
PING	Check status
422	Check status
433	Redefine nick name
-s	Silent mode
h 0f6969d7052da9261e31ddb6e88c136e	Uninstall bot.
h fd456406745d816a45cae554c788e754	Download and run file
Botinfo	Sends botinfo
p2p	Starts p2p spread, Copy itself into following location- \Program Files\LimeWire\Shared \Program Files\eDonkey2000\incoming \Program Files\KAZAA \Program Files\Morpheus\My Shared Folder\ \Program Files\BearShare\Shared\ \Program Files\ICQ\Shared Files\ \Program Files\Grokster\My Grokster\ \My Downloads\
commands	Sends following list of commands commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
rarworm	Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe?
disconnect	Disconnect itself
b0tk1ller (off)	Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names. If parameter off is provided it stops the bot killer thread.
reconnect	Reconnects to the same server
reconnect.next	Same as reconnect since there is only one ip hardcoded in the bot.
nick (nickname)	Sets nick name if nickname not provided that generates random nickname
restart	Restarts itself
vncstop	Stop VNC scanning threads.
join (channel_name)	Join mentioned channel
xpl	Starts vnc and ftp scanning threads.