by The Pull
The Godmessage III. PROPAGANDA -> The Godmesage is the trojan you have never heard of. You view the webpage and it uploads the binary to your system. You never know what hit you. It has been tested thousands of times. The general public is not aware of these sorts of code because they are designed not to be found on people's systems. Yet, I present this code in good faith to make people completely aware of the dangerous situation they stand in. The code holds a binary trojan hexed in there. Soon, its' ports will be on scanners across the world, then on firewalls across the world. The code just as easily could hold any binary 9k or under, including CIH and several other small pieces of code that do horrible things. <----------------------------------------------------------------------------------------------------> For VULNERABLE See below <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LAST MINUTE NOTES:-> This code should still be considered rough. ie, don't spend a lot of time on it. command.com is used, which has been tested fine on w2k, but would not work on NT, you must find and replace everything with cmd. But, who uses NT anymore? The self-delete stuff is buggy and needs some work. Anyway, there are some limitations, but - of course - these are minor considering the number of systems at risk. If anything from here, I would want to port everything to vbs and finish it from there... though, hopefully, I won't have the compulsion. Lotsa of other stuff to do. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Using via email or news-> Don't, but in theory, one would want to have a refresh to a webpage because of the weight of this. A DHTML refresh. One can even surmount the latest Outlook "fix", by closing reading www.securityfocus.com. BUT NO ONE IS USING THAT, SO DON'T WORRY. <-----------------------------------------------------------------------------------------------------> In my humble opinion, Microsoft needs to inform users that they need to upgrade to the security fix, and they need to implement an automatic upgrade system that has been okayed with the privacy teams immediately. <------------------------------------------------------------------------------------------------------> HISTORY -> It was orginally released well before bubbleboy or KAK, the more famous virii that used this same sort of bug. Again, as I stated in the first readme, this could have been a worm. It is inevitable someone will make a worm with this bug. I did not make it into worm now nor then because that would be the same thing as releasing a virus. It would destroy the internet, and disrupt the financial systems... which might seem pleasing to those who do not think. But, the fact is that it would ultimately only hurt the poor. The godmessage was originally called simply "evil.html". >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> WARNING: READ FIRST! This code is marked CONFIDENTIAL. Which you, by reading this, agree means, that you may not view this code. "This code" meaning godmessageIII.html and flipscreen.html. The second rule is that you may not speak of the existance of this code. And, the third rule is that this code does not exist. The second rule includes the meaning that you may not show this code to anyone else. Pre-Amble:-> This time, I made it easier to use because I got rained with tech support ever since. (Always the same questions). Basically, people were having a hard time cutting and pasting the code in there, because even a space or an extra semi-colon will mess it up. Which sort of defeats the purpose of releasing demonstration code. USAGE INSTRUCTIONS-> <-------------------------------------------------------------------------------------------> TWO FILES IN HERE:-> godmessageIII.html - view, get rooted. It is a modified tHing 1..6 server without ICQ notification, without hide process (so it will run on NT/w2k) A fellow named splyc took out the ICQ notification which I got from blade's forums. I took out the hide process function because it was not allowing the tHing to run on NT or 2k. The tHing listens on port 7777 and the password is pass. Get the tHing client at http://come.to/soul4blade Warning: The client doesn't quite work right with this modification, however while it may appear like the upload and run function does not work - it does. The progress meter is just busted with this. flipscreen.html - does not root system, runs a "joke virus" for fun. Flips persons screen everytime they reboot. Just have them view the html, via webpage, whatever. <---------------------------------------------------------------------------------------------> CREDITS - > Georgi Guninski found the bug in the first place. The man is a walking bug finding genius. This project has absolutely no relation to him. Stone Fisk - helped in rooting out a last minute bug, and helped in the creation of the original godmessage a great deal. 6IT - for a last minute bug fix, as well, the idea to change c:\ to windir. DOH! (I do have a real job) Exxtreme, Nicula Laurentiu of eEye (all who helped me with the original godmessage). Sugien - of alt.hackers.malacious, who got me onto the track about hexing files to use in the first place with this, and whose name I forgot in the previous packetstorm/tlsecurity release. Dabbler, aka ChuckX, aka Chuck -> who helped test the original and helped make the tHing with Blade Blade, fc, M_R, Ganja51, slim -> the guy's on the tHing team (of whom this project has no association with except that it uses Blade's trojan) "Shoutz Out" - > all of the regular bullshitters at alt.fan.cult-dead-cow, everyone else on the cDc Hacktivism project, the guys who made spam a delicious treat; GM, for recalling their tires; televangelists for preaching bullshit for money (and, I can say that and not be in trouble) ; AND TO THE CLUB OF WHICH WE CAN NOT SPEAK OF (----------------------------------------------------------------------------------------------------------) vulnerable Microsoft Internet Explorer 5.5 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 2000 Microsoft Internet Explorer 5.01 + Microsoft Windows 98 + Microsoft Windows 95 + Microsoft Windows NT 4.0 + Microsoft Windows NT 2000 Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000 Microsoft Internet Explorer 4.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 4.0 for Windows NT 3.51 - Microsoft Windows NT 3.5.1 Microsoft Internet Explorer 4.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 4.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 4.0 for Windows 3.1 Microsoft Outlook 97.0 Microsoft Outlook 98 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Microsoft Outlook 2000