|
|
|
|
|
This Database is constantly updated. To search this Document Press CTRL+F. Enter files, keywords. If any of your files looks souspicious enter the filename and search this document maybe you are infected with a Trojan. |
* Updated 18-02-99
->added Icq Trojen* Updated 28-02-99
->added more info over GateCrasher
->added Priority Trojan BETA (released 28-02-99)* BIG update 01-03-99
->added DeepBO
->added Gjamer
* update 30-04-99
->Wincrasher Details added
->New Master of Paradise variant
->Control du Socket (older version)
->Added Voodoo
->New Info and Modified Server of the Icq Trojen
->Added Evil Ftp
->Added NetSpy
->Added ShockWave
->Added
->Added NCW* update 05-10-99
->Added Shadow Phyre
->Added Tiny Telnet Server
->Added Kuang
->Added Netpshere
->Added FakeVirii
* update 05-11-99
->Added Satans Back Door
* update 05-12-99
->added Indoctrination
* update 05-19-99
->added JammerKillah12
->added AolTrojan
* update 05-22-99
->added Hack'a'tack
* update 05-23-99
->added The Unexplained
* update 05-28-99
->added Bla
* update 06-02-99
->added Progenic Trojan Beta1
->added Progenic Trojan Beta2
* update 06-08-99
->added Hack'a'ttack1.12 ->added Bla1.1 ->added HVL RAT. 5.3.0 ->added BackConstruction 1.2
* update 06-12-99
->added Kuang (all) ->added Frenzy 1.01 ->Kuang2 The Virus
* update 06-22-99
->added Netsphere Final
->added Schwindler 1.82
* update 06-26-99
->added Subseven 1.9
->added BackConstruction 2.1
->added Vampire
* update 08-06-99
->added Trojan Spirit 2001 a
* update 08-08-99
->added Maverick'ss Matrix
* update 11-08-99
->added Total Eclypse
* update 13-08-99
->added Kuang2 loggerAS
* update 30-08-99
->added Vampire 1.2
->added BoBo 1.0
* update 07-09-99
->added Deep Throat 3.1
* update 08-09-99
->added TrojanSpirit 1.2
* update 10-09-99
->added Eclipse 2000
* update 18-09-99
->added Incommand 1.0
* update 29-09-99
-> added Schoolbus 1.6
-> added Logged!
-> added Brainspy
-> added Xplorer
-> added IRC3
* update 29-09-99
-> added OnlineKeylogger
TOC
Removing Instructions
Usefull Url's
Last Words
* Socket de Troie
The Trojan is actually a virus also, it infects all EXE's on the Harddrive making it nearly impossible to remove w/o using an AV software.
*Netbus 1.6 + 1.7
connect and remove the trojan from the victim.
Netbus 1.7's is NOT breakable so you'll have to let the Victim remove it himself.(See
Removing instructions)
BTW the port in NB 1.7 isn't always the same and can be changed
* Rare version of Netbus 2 pro
->Netbus 2 pro is not as easy to setup as 1.6 or 1.7 was, so someone made an Installation
Programm setting it up autostarting AND running invisible. Runs on specific Port.
1.4 Removing Instructions AND Hints
* Master of Paradise (recognized by AVP) Not the modified
->Does not restart automaticaly.
an NULL icon in the Tray, which means it looks like a space between original
icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't
look suspicious.
*Original Server Exe is exactly 327.680 bytes.
*Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)
* Back Orifice (recognized by AVP)
->The Father of all GUI Trojans usually the key is:
-> Standard Value .exe *There is a space before the .exe
2)When used With SilkRope the key is something like
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> 412124.TMP Value=412124.TMP *Wierd numbers with the ending TMP.
* Original Boserve.exe is exactly 124.928 Bytes
With BT Plugin it is something around 193.149 Bytes
Crypted Verion called Infector is 184.832 Bytes
Size may vary due to lot of plugins
Sytemtray Value c:\windows\systray.exe *Can be renamed.
-> Not as easy to remove because it checks if Key in registry exists, if not it adds
it again, so simply removing the Key won't work. --> 3 possibilities
(The original systemtray.exe is in C:\windows\system\systray.exe)
And then simply delete the systray.exe in c:\windows
* Netbus Pro 2 + Beta + Netrex (recognized by AVP exept Netrex)
Control Program. Neitherway there are versions out which run invisible to the User
The standard key is as always. There are 2 Versions out (that I know)
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.
To identify if it's surely NetbusPro which is running
->HKEY_CURRENT_USER\NetBus
->HKEY_CURRENT_USER\NetBus Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
->HKEY_CURRENT_USER\NetBus Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nbsvr.exe has exactly 612.966 Bytes
2) The Version called Netrex
->Someone Disassembled the file and recompiled it
To identify if it's surely NetRex which is running
->HKEY_CURRENT_USER\NetRex
->HKEY_CURRENT_USER\NetRex Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary
->HKEY_CURRENT_USER\NetRex Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nrsvr.exe has exactly 326.144 Bytes
*HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called
Log.txt in the same directory as the server is installed usually C:\windows
But as always there may be versions which DO NOT write the log.
*Original Server Exe size is exactly 182.227 Bytes
*Suplement to the server exe but not needed are:
Win32cfg.exe exactly 4.128 Bytes
cfg95.exe has exactly 79.242 Bytes
When installing a little message box pops up saying <
It copies itself in the c:\windows\system directory with the name reg666.exe
AND to C:\WINDOWS\SYSTEM\regersys.ocx.
The keys Are:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Millenium Value=reg666.exe
*AND in win.ini adds run=C:\windows\system\reg666.exe
Removing is a little bit difficult because this trojan has some neat self-check
routine, if you remove the Key in the registry it adds it again, if you remove
the win.ini key it adds the key again, this tricky thing has also a backup
in regersys.ocx which it renames again to reg666.exe.
You see it's quite difficult if you don't know dos. -> 2 possibilities
1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe
AND regersys.ocx (The names are always the same)
2)Use programms able to KILL programs in memory like CCTASK (Url Below)
And then simply delete thereg666.exe from c:\windows\system don't forget to
to delete the c:\windows\system\regersys.ocx
* The exact size of reg666.exe is 48.128 Bytes ->No spelling mistake
*Gate Crasher
1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC
YES this ones can infect using a Word Macro.
The Word Macro Contains the Words >>This file once opened checks to see.
if you have the latest version of winsck.ocx and you have so no updates
are available<< ->Nice Spelling
2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)
If it's active it opens it's ports. So it isn't detecable up-on start
Actually it's fake Port watcher.
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer Value=EXPLORE.exe
*Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat
Port.dat size is exactly 94.208 Bytes
Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)
Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)
|
->Shows the name FullBrock (author's name ?)
*Socket de Troie (recognized by AVP)
Trojan doesn't restart. Only runs once
Spy Server exe has exaclty 30.720 Bytes
Trojan doesn't restart. Only runs if program is excecuted
Comes with a lot of fake apps but none of them runs the original
program.
Icqflood.exe has exaclty 24.576 Bytes
Opscript.exe has exactly 61.952 Bytes
Socket.exe has exactly 355.840 Bytes
winamp34.exe has exactly 690.688 Bytes
Wingenocide.exe has exactly 67.584 Bytes
Winrar.exe has exactly 687.616 Bytes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windll Value c:\windows\windll.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the windll.exe in c:\windows
*Hint* This Trojan is specialist in stealing Passes. Victim should
rename ALL passwords.
windll.exe has exactly 309.248 Bytes
windll.exe has exactly 189.196 Bytes (there are 2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Patch Value c:\windows\patch.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the patch.exe in c:\windows
*Hint*Netbus 1.7 saves the IP of attacker in c:\windows\access.txt !
but only if he has restricted access to server with this IP.
->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini
Consists of the following : [Settings]
Port1=12345 *Obvious
ServerPwd=asl *Uncrypted
LogTraffic=1
MailTo=cocksucker@cf.com *Attacker e-mail
MailFrom=my@myself.com *yours
MailHost=127.0.0.1 *Smpt-Server
*Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real
E-mail adress because I entered just the opposite)
The Patch.exe of netbus 1.6 has exactly 472.576 Bytes
The Patch.exe of netbus 1.7 has exactly 314.636 Bytes
The Whakamol.exe Fake game has exactly 314.636 Bytes
* Rare Version of NBP2
-> see netbus Pro 2
* Attack Ftp
What it Does ?
- Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe
- Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll
- Copies Install.exe in the System directory and renames the file in Wscan.exe
- Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.
- Writes to registry to launch Wscan.exe at next reboot
- Searches CD-rom drives
- Creates Serv-u.ini in the System directory
- Scans HD for TREE.DAT (password of Cute-FTP)
- Copies result to c:\windows\Result.dll
- Launches Drwatsom.exe
- Fakes a Error-Message
Remove:
Quoted from the authors Readme :
- Kill Drwatsom (Ctrl-Alt-Del)
- Execute the command : "Wscan.exe Louis_Cypher"
- Delete the Key
"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run" Value wscan.exe
- Delete Wscan.exe from c:\windows\system
Size of the setup.exe is exactly 230.912 Bytes
Needs a lot of dll's and needs a registration before functionating achieved by
a Reg file which Registrates the serials. I think it's impossible
to setup it up with no physical access to the victim computer. (therefore rare)
Removes itself on next reboot.
*Hint* The Victim should change his Dial-Up Password immediatly.
Nothing anormal if a person has a ftp, but some trojans are able to open an Ftp.
If you don't want the script to scan this Deactivate it.
*Note* If You selected >>Enable ALL<< ARE
be anonym.
Scan is very inaccurate. Therefore deactivated on Default , but can be enabled.
Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Systemapp Value ODBC.exe
1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the odbc.exe in c:\windows\system
Quoted from the readme
>>Icqtrogen.exe is made to be placed in your icq folder and move the real icq
to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it<<
Removing is quite easy.
-> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE
*Original Server EXE is exactly 39.424 Bytes.
->**Modified Version**
Doesn't need original ICQ.
Restarts not automatically.
*Modified Server Exe is exactly 27.779 Bytes
*Installer attached WITH BO is 188.438 Bytes
while pressing CTRL-ALT-DELETE the name pserver shows up.
The Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pserver Value pserver.exe (everytime)
*Original Server Exe is excactly 98.304 Bytes
->Wide spread version of BO. Runs on specific port
removing see BO.
*Gjamer
*Voodoo
*Original Server Exe is excactly 36.864 Bytes.
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSSystemSet"="msset32.exe"
c:\windows\system\inet.exe 200K
c:\windows\system\WinZipp.exe 200K
The Keys in the registry are :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /nomsg"
c:\windows\windll.exe 127488 Bytes
The Key in the registry is :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windll.exe"="C:\\WINDOWS\\Windll.exe"
c:\windows\_webcache_.exe
C:\WINDOWS\SYSTEM\Temp$1.exe
The Keys in the registry are :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebAccelerator"="_webcache_.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe"
C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"
C:\WINDOWS\system\nssx.exe 36864 Bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe"
*Satans Back Door
C:\windows\sysprot.exe 77 824bytes
*Indoctrination
C:\windows\sysprot.exe29 184bytes
"Msgsrv16"="Msgsrv16"
"Msgsrv16"="Msgsrv16"
"Msgsrv16"="Msgsrv16"
"Msgsrv16"="Msgsrv16"
"Msgsrv16"="Msgsrv16"
*JammerKillah12
C:\windows\MsWin32.drv 92 697bytes
"MsWindrv"="MsWin32.drv"
*AolTrojan
Copies to :
C:\windows\DAT92003.exe 69 632bytes
"dat92003"="C:\\WINDOWS\\SYSTEM\\DAT92003.exe"
*Hack'a'tack
"Explorer32"="C:\\WINDOWS\\Expl32.exe"
*The Unexplained
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "InetB00st"="C:\\WINDOWS\\TEMP\\INETB00ST.EXE"
*Bla
C:\WINDOWS\$Temp\TROJAN.EXE" c:\windows\system\Rundll.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "system"="C:\\WINDOWS\\$TEMP\TROJAN.EXE" "systemdoor"="c:\\windows\\system\\Rundll argp1"
*Progenic Trojan Beta Series
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Scandisk"="c:\\windows\\scandiskvr.exe"
* Hack'a'ttack1.12
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer32"="C:\\WINDOWS\\Expl32.exe"
* Bla1.1
[[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "system"="C:\\WINDOWS\\SYSTEM\\mprdll.exe"
* VL RAT. 5.3.0
C:\WINDOWS\SYSTEM\ .exe C:\WINDOWS\system\MSGSVR16.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Default"=" " "Explorer"=" " 'Note This runs " .exe" just like BO. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer"="C:\\WINDOWS\\system\\MSGSVR16.EXE"
* BackConstruction 1.2
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shell"="C:\\WINDOWS\\Cmctl32.exe"
* Kuang (Psender)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps_full.task"="C:\\WINDOWS\\SYSTEM\\K2ps_full.exe"
-Kuang2:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps"="C:\\WINDOWS\\SYSTEM\\K2psl.exe"
* Frenzy 1.01
"Explore"="C:\\Program files\\msgsrv36.exe"
* Kuang2 The Virus
* Xtcp PORT 5550
Copies to : c:\windows\winmsg32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Msgsv32"="C:\\WINDOWS\\SYSTEM\\winmsg32.exe" Uses port 5550.
* Netsphere Final (131337)
Copies to : c:\windows\system\epp32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ExecPowerProfile"="C:\\WINDOWS\\system\\epp32.exe"
* Schwindler 1.82
Copies to : c:\windows\user.exe NOT c:\windows\system\user.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "User.exe"="C:\\WINDOWS\\User.exe"
* SubSeven 1.9
Copies to : c:\windows\system\mtmtask.dl - Default:
System.ini
Shell=explorer.exe mtmtask.dl
* BackConstruction 2.1
Copies to : c:\windows\Cmctl32.exe [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shell"="C:\\WINDOWS\\Cmctl32.exe"
* Vampire
* Trojan Spirit 2001 a
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Internet="c:\windows\netip.exe" Uses port 30911
* Maverick's Matrix
* Total Eclypse
* Kuang2 logger AS
* Vampire 1.2
* BoBo 1.0
* Deep Throat 3.1
* Trojan Spirit 1.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Internet="c:\windows\filename.exe"
* Eclipse 2000
Copies to: C:\\WINDOWS\\SYSTEM\\Filename.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"
Keynames seem to be selected randomly.
* Incommand
Copies to: Path_Where_Run\Filename.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe"
.
* BrainSpy
Copies to: C:\WINDOWS\SYSTEM\BRAINSPY .EXE
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Gbubuzhnw"="C:\\WINDOWS\\SYSTEM\\BRAINSPY
.EXE""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Dualji"="C:\\WINDOWS\\SYSTEM\\BRAINSPY
.EXE"
'Note Keynames are rondomized.
* IRC3
Win.ini
:
load
=
closew
Closew.bat
contains
the
foloowing
commands:
@prompt
@START
C:\WINDOWS\RUNDLLS.EXE
/h
Rundlls.exe
is
ServU.exe
and
the
/h
option
runs
it
hidden.
* PC Xplorer
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
* Online Keylogger
Copies to the drive set as Temp.
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WinSet"="E:\\system.sys"
1.5 Usefull Url's
http://www.avp.com
*Trust No one, even a good friend can cheat on you
*This goes out to all L/\|\/|me d00des who think that using a trojan on a person
automaticaly makes them Elite (31337) and/or are deleting or destroying other's
people's data:
F U C K Y O U ! !
This FAQ is Copyrighted Int_13h (c)
----------------------------------
Contact me by e-mail at Int_13h
You want to contribute something, a port number, a removal Key or just Spot an Error ? Be sure to mail me ! You'll receive FULL Credit.