Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Botgor.B is a prepending virus . The virus is designed to artificially generate traffic to certain Internet sites.
Installation
When executed, the virus copies itself into the following location:
  • %windir%\system\bot1.exe
In order to be executed on every system start, the virus sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "Userinit" = "%system%\userinit.exe,%windir%\system\bot1.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\BN1]
    "G" = "%variable1%"
    "AN" = "%variable2%"
    "UA" = "%variable3%"
    "UA_" = "%variable4%"
A string with variable content is used instead of %variable1-4% .
Executable files infection
Win32/Botgor.B is a prepending virus .

The virus searches for executables with one of the following extensions:
  • .exe
It infects files stored in the following folders:
  • %program files%
It infects the following files:
  • %windir%\system32\cleanmgr.exe
  • %windir%\system32\dxdiag.exe
  • %windir%\system32\msconfig.exe
  • %windir%\system32\regedit.exe
  • %windir%\system32\sol.exe
The original host executable can be reconstructed when an infected file is run.
Other information
The virus is sent data and commands from a remote computer or the Internet.

The virus is designed to artificially generate traffic to certain Internet sites.

The virus sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The virus may display the following messages:


The virus tries to download a file from the Internet. The file is stored into the following folder:
  • %windir%
using the following name:
  • bot1_update.exe
The virus may create copies of the following files (source, destination):
  • %windir%\bot1_update.exe, %windir%\system\bot1.exe
The virus contains a list of (3) URLs.

The following information is collected:
  • malware version
  • default Internet browser
The virus can send the information to a remote machine. The HTTP protocol is used.