Table 8.1 (continued)
COMMAND DESCRIPTION ARGUMENTS
!info Displays some generic
information regarding
the infected host, including
its name, IP address, CPU
model and speed, currently
logged on username,
and so on.
!?quit Closes the backdoor
process without uninstalling
the program. It will be
started again the next time
the system boots.
!?disconnect Causes the program to Number of minutes to
disconnect from the IRC wait before attempting
server and wait for the reconnection.
specified number of
minutes before attempting
to reconnect.
!execute Executes a local binary. Full path to executable file.
The program is launched in
a hidden mode to keep the
end user out of the loop.
!delete Deletes a file from the Full path to file being deleted.
infected host. The program
responds with a message
notifying the attacker
whether or not the
operation was successful.
!webfind64 Instructs the infected host URL of file being downloaded
to download a file from and local file name that will
a remote server (using a receive the downloaded file.
specified protocol such
as http://, ftp://,
and so on).
!killprocess The strings for these two
!listprocesses commands appear in the
executable, and there is a
function (at 0040239A)
that appears to implement
both commands, but it is
unreachable. A future
feature perhaps?Reversing Malware 305