ZLULBOT
Lukicsel, MSIL.IrcBot, Sdbot, Zombie, MSIL
Windows 2000, Windows XP, Windows Server 2003

Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
ZLULBOT, also known as ZOMBIE, is a bot client used to conduct distributed denial of service (DDoS) attacks against several Brazil-based websites in 2011. It joins a specific Internet Relay Chat (IRC) server where it receives a set of commands to perform on affected computers.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs
Installation
This backdoor drops the following copies of itself into the affected system:
- %System%\svchosta.exe
- %System%\svchoste.exe
- %System%\svchosth.exe
- %System%\svchostzx.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchostn.exe = ""%System%\{malware file name}" start4dalife"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchostn.exe = ""%System%\{malware name}" start4alife""
Other Details
This backdoor connects to the following possibly malicious URL:
- irc.{BLOCKED}ps.li
- irc.{BLOCKED}nime.net