Viewer-Made Malware 6 – Bolbi (Win32)

Hello everyone, today we are looking at the “Bolbi” Windows trojan. This is a trojan written in Visual Basic Script. So it’s a… pretty generic script, however the destruction is pretty thorough especially for Windows 7, if you have admin privileges so it’s pretty interesting to take a look at. This was written and submitted by “MrDinkle”, so thank you for sending this one in. If you’re interested in submitting your own files for a possible feature in one of these types of videos, please see the links and instructions in the description. Now we’re just going to go ahead and run this trojan. And we get a message box, “WE SLAP EVERYDAY! slap slap clap clap” and a text file on the desktop that says the same thing. We also see that a folder called “ghostroot” has been created, and the trojan begins downloading some files, and, in just a bit, it should restart explorer.exe. There we go. And… right away we can see some things have changed. Instead of “5:46 AM”, it is now “5:46 Bolbi”. So uh, yeah. An interesting new time scheme. Similarly, all modified dates, and pretty much all time keeping on the system is now measured in “Bolbi” time units. If we go ahead and look at that folder again, we should see more stuff downloaded- there we go. So, now we got an important message: “Your PC is going to become toast!” That sounds kind of dire. Now, we try to run Internet Explorer… and it’s not allowed. …and deleted. So… we’ll go ahead and remove that link. I believe- yeah, same thing happens if you try to run the explorer shell. Go ahead and remove THAT link, too… …and let’s see… so we have… “ayylmao.vbs” We can’t edit it, since it’s blocking pretty much all executables from running. We can see that it changed the Windows directory to be hidden. And, uh, we can tell that this “rpdbfk.exe” file has started to replace stuff in the Windows directory. At least, by the icon, we can tell that. And, if we look in the System32 folder… pretty much everything in here has been overwritten, everything it can access is overwritten. We can see, they’re all 37 “Kilobyte” files. If we look at this… It is 37 KB. So it’s pretty much overwriting everything it can find in the System32 directory, which is… bad. It’s kind of odd, sometimes when I run this trojan, we get a desktop full of VBS scripts, kinda reminiscent of Maldal, if you remember that video. And in other times, it doesn’t work. And in sometimes, it blocks access to, like, accessing the C: drive. And then… other times it doesn’t. So it’s kind of hit or miss depending on what kind of things this trojan is going to do and I can’t really figure out why. Where are my drives? This is like, the third time I run this trojan and everytime it does something slightly different… I can’t seem to navigate anywhere… Where are the drives? This isn’t what it did when I… tried to–okay, “Accessing ‘C:’ has been disallowed”, alright. That’s kinda bad. …but we’re going to go ahead and try to restart here. It… takes a little bit to restart. One more thing to note while we wait for this computer to actually shut down, is that the [computer] name has been changed to “Bolbi”. And, uh, right clicking seems to be broken on the, uh, desktop. [hardcore right-clicking action] And all of our programs are missing… Pretty much everything is broken. Even if it wasn’t broken, you can’t access the program, so… …you know, what good is a computer if you can’t do anything on it, right? (right!) Alright, we’re going to go ahead and force restart. And we’ll see… …that this computer is pretty much screwed. So, instead of booting straight into Windows… ..we get a different bootup sequence. More reminiscent of Windows Vista. I guess this is the recovery console bootup. But, yeah, everything’s pretty screwed up on your computer. (That’s not good at all!) So Startup Repair has run, however, it doesn’t do anything. ‘Cause I mean, the system is completely screwed. So we’re going to go ahead and let it restart. We’re going to try booting into Safe Mode. However, on pretty much the 2nd file it tries to load, it just loops back into the, uh, System Restore bootup. So… pretty much at this point, you’re going to need to reinstall Windows, I mean, everything’s been overwritten. You could probably salvage your dat-salvage your data, I don’t believe it touches most of the files on the machine other than the stuff in the Windows directory. So, thank you “MrDinkle” for submitting this, once again, if you’d like to see your own… …Malware, trojan, virus, whatever you feel like writing possibly featured in a video… Please check out the links in the description, and check out my forums, which is where I handle all the submissions and stuff… ( ͡° ͜ʖ ͡°) Thank you for watching, see you next time.


Add a Comment

Your email address will not be published. Required fields are marked *