FKWP 1.5
(Trojan-Spy.Win32.Agent.t)

by b1ackh0le

Written in Microsoft Visual C++

Released in July 2004

more versions 


Firewall bypass Keylogger ,Webdownloader ,Protected Storage (FKWP V 1.5)
-------------------------------------------------------------------------

It is a Firewall bypassing  Key logger ,Web downloader and Protected Storage password sender.
 
Features
--------

1)logging all keystrokes
2) Download 2 urls cab files and extracting and executing the inside exes (Firewall bypass)
3) Protected storage (Outlook, IE stored passes),Cashed Dialup passes Sender 
4) keystrokes ,passes will mail to the email id,daily or the log size is over 
5) firewall bypassing by injecting code into IE and sending mail 
6) No Process visible ,injects into Explorer.exe on startup and exiting 
7) Active Setup Startup 
8) EXE size is 11.9 KB
9) encrypted log file

Usage

--------------
The editor wil lcreate the fkwp1.5.exe,

Email ID -ur email id to get the log,pass report

SMTP (MX) -MX server of the domain of ur email id
yahoo - mx4.mail.yahoo.com
hotmail - mx2.hotmail.com
To find the mx servers for another domains go to dnsstuff.com and use DNS lookup .

Log size - the logs will send to ur email id after the log size over ,or the date changed ,

URL1 

now a days free hosts not allowing to upload exes,so just compress ur trojen.exe using makecab 

the steps r 
rename trojen1.exe to aa.exe
goto comamnd prompt type
makecab aa.exe aa.cab
this will compress aa.exe and create aa.cab uplaod it to ur free space
then this program will download  ,extract aa.exe and run that aa.exe

the same think in the cause of URL2

rename trojen2.exe to bb.exe
goto comamnd prompt type
makecab bb.exe bb.cab
upload

this allows facility to downlaod 2 comporessed big trojens on the victim pcs and execute ,
no need to upload it first time itself,when u need to run the trojens just upload it ,
this program wil lchek each 3 minutes for that url,and if the file is present it wil ldownload,
if not present it will not do anything

bye

b1ackh0le


Server:
dropped files:
c:\WINNT\regob1.dll             size: 0 bytes 
c:\WINNT\regob2.dll             size: 0 bytes 
c:\WINNT\system32\msvchost.exe  size: 12.207 bytes 
c:\WINNT\system32\regc64.dll    size: 10.240 bytes 
c:\WINNT\system32\ssvchost.com  size: 12.207 bytes 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} "StubPath"
data: C:\WINNT\system32\ssvchost.com 

tested on win2000
MegaSecurity