Stalking the Fanbot

Brief History

During the first quarter of 2005, the advent of the family of mass-mailing bot-worms called MYTOBs gave rise to the vast proliferation of so-called BOT creators or groups that thrive on and make use of the modularity, functionality and “effectiveness” of the open-source codes. I will refer to the MYTOB open source as “Hellbot” since this underground entity has been tagged as one of the most prolific in the MYTOB scene.

Barely 7 months after, one Moroccan worm writer from the MYTOB scene that goes by the handle of Diabl0, along with a Turkish partner code-named Coder, eventually rose up from the ranks and released the ZOTOB variants and they came with a blast! Incorporating a modified MYTOB code tagged as HellBot3 and an exploit code that targets the MS05-039 Vulnerability barely 3 days after the patch release, the blast eventually became an Outbreak! Even though the first two variants did not have the code for mass-mailing, it is quite evident that the MYTOB or MYDOOM code was there, and it wouldn”t be long before a mass-mailing ZOTOB appeared and it did!

Other “upgraded” BOTs (IRCBOTs, SDBOTs, BOZORIs) with the same exploit soon multiplied with the intent of outdoing each other in the BOTNET arena setting war to grab hold of each other”s zombie-network for their own malicious ends. The war soon petered out, and the original ZOTOB worms died down eventually when Diabl0 and Coder eventually got arrested barely two weeks after. Copycat ZOTOBs still appeared though, but it should be of course obvious that some other script-kiddie groups were and are still the ones responsible, what with the HellBot, HellBot3, source codes out in the open for them to cut-and-paste, modify, compile, re-compile, pack and/or compress using new and out-of-the-way unconventional file-packers and compressors or encryptors

Come September, a HellBot-group splinter script-kiddie known in the Chinese cyber-underground community as x140yu, along with the help of another kiddie known as x140d4n, has been developing a modified version of the MYTOB modules. By the first week of October, the project was then released in the wild. Its name FANBOT!

FANBOT vs MYTOB

For those asking what the differences FANBOT has over MYTOB and if it does have the same robust spreading potential, shown below are some information that may somehow shed some light …

Yes .. this IS exactly what it is… a MYTOB plus a PNP (MS05-039) exploit code PLUS some other factors which make it different (at one point or another):

1) Incorporation of a fake message box upon execution of the worm such as this:




2) Propagation via P2P (Peer-to-Peer) or file-sharing networks such as Kazaa, eDonkey and Morpheus using filenames targeting a diverse audience also including would-be virus analysts and writers alike using names such as:



  • Bifrost.scr
  • How to hack new.doc.exe
  • how to hack.doc.exe
  • netsky source code.scr
  • Smashing the stack full.rtf.exe
  • virii.scr
  • Visual Studio Net Crack all.exe
  • Win Longhorn re.exe
  • Win Longhorn.doc.exe
  • Windows 2000 Sourcecode.doc.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe

3) This FANBOT family is not the brainchild of any of the conventional MYTOB groups, nor of course of the ZOTOB creator (since he is behind bars already) – but the creation of an altogether different individual (presumably) that goes by the handle of x140yu with an email address of x140yu@Gmail.Com. He even specifically “points out” in some of his creations that he created this new line out of MYDOOM+SDBOT and explicitly lets out that the MYTOB “author is an idiot!!!” (see text found in the worm code below) and kills processes related to MYTOB such as hellmsn.scr and msnmsgs.exe, those related to BOZORI such as botzor.exe, and other bots such as coolbot.exe.


[Phantom] 2005 Made By Evil[xiaou]. Greetz to good friend x140d4n. Based On sdbot&&mydoom.
HellBot3 have BackDoor in ‘HellMsn.h’. The HellBot3 author is an idiot!!!
MSG to Kaspersky&Norton: can u make it difficulty next time!!! stupid. dont call me Fanbot,i am [Phantom]!!! SHIT!!!
Play with The best, Die like the rest.

4) One particularly unique thing about this worm family is that it is the first to also target the Trend Micro System Cleaner by killing off any running processes of TSC.EXE.

5) Also unique among the mass-mailing bot domain, some later members of the FANBOT family now banks on the popularity of Skype as can be seen by most of the attachments the family sends out (example: Share Skype, Skype, Skype for Windows 1.4, Skype-details, Skype-document or Skype-stuffs). Email characteristics of this type include:

Subject:(Any of the following)


  • Share Skype

  • Share Skype.

  • Skype

  • Skype for Windows 1.4

  • Skype for Windows 1.4 – Have you got the new Skype?

  • Skype-details

  • Skype-document

  • Skype-info

  • Skype-stuffs

  • What is Skype?

Message Body


Dear user {name of recipient},

Skype is a little piece of software that lets you talk
over the Internet to anyone, anywhere for free.
download the latest version of Skype:
And it just got even better Our call quality is the best ever for talking, laughing and sharing stories.
You can forward calls on to mobiles, landlines
and other Skype Names. Make calls instantly from Outlook email or
Internet Explorer with our new toolbars. play around with sounds, ringtones and pictures to show the world who you are.
Personalise your Skype For further details see the attached document.

(c) 2002-2005 by Skype Technologies S.A.
Legal information

This message contains graphics. If you do not see the graphics,
click here to view.

Attachment:(any of the following file names)


  • readme

  • Share Skype

  • Skype

  • Skype for Windows 1.4

  • Skype-details

  • Skype-document

  • Skype-info

  • Skype-stuffs


(with any of the following first extension names)


  • BAT

  • CMD

  • EXE

  • PIF

  • SCR

  • ZIP

6) FANBOT continually updates its creations by having his newer versions KILL OFF his older ones found in any target systems (like deleting phantom.exe, xiaoyu.exe, etc.)

7) Via port 5262, the IRC server jojogirl.3322.org is also being connected to by the worm family.

8) Interestingly, the worm family also attempts to connect to 28.76.115.50 which is connected to the DoD!

Introducing the worm author

Looking at the text found in the worm body shown below, it can be seen this x140yu also has a “friend” that goes by the nickname of x140d4n – from whom I gather x140yu got some of his code modules or techniques. (The entity x140d4n has got a site LOADED with backdoors and Trojans and I am digging deeper in this site as I speak!)… x140yu probably got some backdoor techniques and code modules from this x140d4n.


Play with the best, Die like the rest.
[Phantom] 2005 made by Evil[xiaou]. Special Thanks:x140d4n.
If u have Zotob’s SourceCode, please u mail it to me!!!
E-mail:x140yu@Gmail.Com thanks!!!

And yes, as I”ve mentioned earlier, the author was still struggling just last September on perfecting his creations(s), and maybe x140d4n came to his “rescue”, ergo the Special Thanks. Seen below is one example of evidence traced regarding x140yu’s early days of bot-coding struggle … x140yu WAS asking for source codes! Tsk tsk …




You can also catch him (x140yu) here:

QQ: 75…71
ICQ: 30…78
MSN: x…@…com
E-mail: x…@…com
Gmail: x…@…com

*** Email us if you need the exact contact emails and we’ll send them over _IF_ the reason _IS_ for valid and legitimate purposes _ONLY_.

x140yu also has a blogsite, as shown below. The author really has something for alphanumeric text strings!




Further cursory glance at the site reveals some more interesting things.




Hmmm .. Aha!… A BotNet?!?! The link is empty though, and milworm! Ahhh yes … this is the site (milworm) where some of the more famous exploit codes that caused outbreaks in the past have been posted. Exploit codes such as used by SASSER and ZOTOB are posted here. And from one of the strings found in FANBOT”s code found above, this is one proof the author really wants to grab any code related to ZOTOB!

What”s more, we”ve also got a snapshot of x140yu taken from the worm author”s blogsite titled “x140yu”s Photo”.


Apparently, x140yu alone or both x140yu and x140d4n are members of or in cahoots with the Brazilian-Persian “Evil Security Team” hacker group in spreading this worm, as can be seen in the mutex it creates:



___—>>[E-v-i-l_S-e-c-u-r-i-t-y_T-e-a-m]<<<—___


Their site is located at 210.1183 and is located at Korea. It is maintained by someone called “M3hDy EviL b0y”.




What Next?

All in all, my take on this is that this is just one of those more-than-average kiddies who’s gotten the opportunity to an open HellBot, some MYDOOM and some MS05-039 exploit source codes, added his own modifications and who’s got probably some word-war with some of the MYTOB groups in the underground – and voila – a new worm!

Moreover, this is just another example of the growing intent of bot creators of infiltrating and amassing more and more zombie networks either by affecting new targets or by competing against other worm-bot authors and take hold of the zombie networks for their own purposes.

Same old same old… but like all kiddie-works, this may have some high moments (like now and probably in the next two months or so) until it just peters out eventually, or when the kiddie(s) move on to a next “pet-project” or when authorities do get a hold of them… or him… or her!… ;-p

If we should do something to stop or prevent even a starting rampage of a new worm author”s creations, we should stop it, him or her or them before they increase in the near future. The information above is a starting point, and we can… and should stop it now …