Phatbot

Close to one million Windows PCs are known to be infected.

Get It Try It

Phatbot is only the latest in a series of professional exploits against Microsoft Windows. It will hardly be the last. Security experts agreed that the year 2003 was the worst yet, and two months into 2004 the spectre is even worse.

Amongst other things, Phatbot can do the following:

• Polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
• Check to see if it is allowed to send mail to AOL, for spamming purposes
• Steal Windows product keys
• Run an IDENT server on demand
• Start an FTP server to deliver the trojan binary to exploited hosts - the FTP session ends with the message '221 Goodbye, have a good infection :).'
• Run a socks, HTTP, or HTTPS proxy on demand
• Start a redirection service for GRE or TCP protocols
• Scan for and use the following exploits to spread itself to new victims:
  • DCOM
  • DCOM2
  • MyDoom backdoor
  • DameWare
  • Locator Service
  • Shares with weak passwords
  • WebDav
  • WKS - Windows Workstation Service
• Kill instances of MSBlast, Welchia, and Sobig.F
• Sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
• Sniff FTP network traffic for usernames and passwords
• Sniff HTTP network traffic for PayPal cookies
• Maintain a list of nearly 600 processes to kill if found on an infected system - some are antivirus software, others are competing viruses/trojans
• Test the bandwidth by posting large amounts of data to the following websites:
  • www.st.lib.keio.ac.jp
  • www.lib.nthu.edu.tw
  • www.stanford.edu
  • www.xo.net
  • www.utwente.nl
  • www.schlund.net
• Steal AOL account logins and passwords
• Steal CD Keys for several popular games
• Harvest email addresses from the web for spam purposes
• Harvest email addresses from the local system for spam purposes

Close to one million Windows PCs are known to be infected with Phatbot.