[Tutorial] GtBots

Ask your general or IRC related questions.
Posts: 39
Location: The land of nowhere

[Tutorial] GtBots

Post by MartYanu2 »


GTBOTS, is a kind of infection, which you can get by either running a malicious file sent to you by an infected user on IRC, or by downloading a file from an infected website. They are mIRC based infections which send many connections to IRC servers. There are many types of GTBOTS, and in this tutorial, I am going to explain many things about them.

How GTBOTS work in General and how they affect you

Once you get infected with a GTbot, the malicious file writes itself in the registry to be ran automatically on system boot. In other words, the malicious file, is ran every time you start your computer.

As mentioned above, it's an mIRC based infection. In other words, the file that starts on your computer, is a hexed (changed) mIRC client. Many times the creator of the malicious file, changes the software (mIRC), so that it's smaller in size and uses smallest amount of resources so that you can't notice. Furthermore, using some other software they manage to hide the program from shown that it's running. The only way you can find out that the program is running is by checking the list of processes running your computer. However, the process may have any name, which makes it difficult to detect.
Note: 98% of GTBOTs are installed in the windows directory.

When the file is ran from your computer it automatically begins to send IRC connections to the internet. This will decrease dramatically your bandwidth (Upload and download speed).

Once connected to an IRC server, they join a secret channel, where the Abuser, (Drone Runner), will use the connections sent from your computer for many malicious tasks. The runner, may then execute many kinds of command on your system. This may result on your computer getting infected by other kinds of adware or Trojans. Many times the Abuser, uses your computer, as well as many others in order to attack specific targets. That may be a DDOS attack, or any other way the abuser wishes for.

How to see if I am infected.

A good way to see if you're infected is to see the connections sent from your computer on the internet. Firstly, close any programs that may use the internet, except your browser of course - How else would you continue reading, in order for the task to be easier for you.

For WinXP users:
Go to, Start, Run, and type this:
A black window, should have appeared in front of you. In that black window, then type:
Netstat -an(b)
The b parameter, is set in brackets, which means you only type it if you want. If you do, it will also listen the program involved in opening the questions shown. I suggest that you do so, so that you know which programs create connections to the internet from your machine. So, just type: netstat -anb

For Win9x users:
Go to, Start, Run, and type this:
A black window should have appeared in front of you. in that black window then type:
netstat -an

You can now see the connections your machine has established or trying to do so on the internet. In this way you can see if you have some connections pointing in some IRC server.

Another way of checking if you're infected by a GTBOT, is to search the Windows directory, (C:\windows\ by default) For an "mirc.ini" file. That file is the file that mIRC is storing it's settings. Most Abusers don't change that name (99% of them actually).

You can find it thru mIRC using the following command:

//!say $findfile(c:,mirc.ini,0,msg $me $1-)
NOTE: You must be in a channel.

If you do find one, copy the location and open it with notepad, and search for a line:
Below that line, there are the files that are loaded as scripts in the mIRC. For example:
something.ext etc

Locate those files, firstly backup them, just in case you removed something needed by the Operating System, and then remove them. I suggest that you check with Google the files that you find, for any information proving that they are needed.

You mean then proceed to check your registry for any malicious start up entries. You can either go from regedit, to:

You can see the registry entries thru mIRC too, typing the following commands:
For XP users - //!run regedit /a c:\regfix.reg HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

For NT users - //!run regedit /e c:\regfix.reg HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

After that, you can simply do //!run notepad C:\regfix.reg

After opening, you might see in the .reg file the following lines:

"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

If you see something like this and an entry looks suspicious, you can either Google for it, or use Jotti scanner.
The Jotti scanner can be found at http://virusscan.jotti.org/ (When the page loades up, just copy/paste the file location in that form and click on the submit button.)

If you decide that you don't want a file to be run automatically on your computer then just edit the file as follow:
I want for example to remove "SystemProcess"="C:\windows\java\inf\loader.exe"
I will change the file to:


That's all for now.

User avatar
Posts: 209
Location: Barcelona, Spain

Post by cArLiLLoS »

Hi, I've just changed the subject of your post as it showed misleading.