by Princeali
Released in September 2005
Bandook v1.3 is a Plugin Based Mini RAT
Server Size : 18 KB
Tech :
-------
*Firewall By Pass Plus Plus (++) , User level APIs Unhook / SDT Restore POC Method
*Persistance Option (File / Startup keys Rewritten on Deletion,Restarted on Process Termination ,Safe Mode Boot)
*Rootkit Option : Hide Process/Startup keys/and File / connection
Curent Features :
-------------------
*File Manager
*Registry Manager
*Folder Mirroring
*Screen Capture (JPEG / PNG)
*Cam Capture (JPEG / PNG)
*Mic Capture
*Windows Manager
*Ims Spy (MSN/YAHOO/AIM)
*Process Manager
*Protected Password Storage Viewer
*Instant Messenger Passwords Viewer
*Remote Shell
*Online/Offline keylogger
*HTTP Webserver
*Socks 4
*HTTP Proxy
*Port Redirection
*Download File from url
*Mass Download
Files Info
----------
Bandook v1.3.exe : Bandook Main , where you Create a Server , Control machines ect..
stub.dat : Bandook Stub
fsg.exe : Executables Packer
Manual_en.pdf : Bandook Official English Manual
Plugins Folder:
---------------
bndkmul.dll : Multimedia Plug-in
bndkutils.dll : Utilities Plug-in
bndkhook.dll : Rootkit Plug-in
pws.bndk : Nirsoft Protected Pass Storage Plug-in
pws2.bndk : Nirsoft Ims Pass Retreival Plug-in
Princeali
Server:
dropped file:
c:\WINDOWS\system32\ali.exe
size: 18,881 bytes
startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Bandook"
data: C:\WINDOWS\System32\ali.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1} "StubPath"
data: C:\WINDOWS\System32\ali.exe
tested on Windows XP
September 19, 2005
MegaSecurity