by 6IT
Co-author's: Inch, Taint, StoneFisk and The Pull
The Godmessage IV r2 WARNING: DO NOT VIEW THE HTML FILE ENCLOSED WITH THIS ZIP PACKAGE UNLESS YOU KNOW HOW TO REMOVE THE TROJAN. IF YOU HAVE ALREADY DONE THIS, SEARCH YOUR DRIVE FOR ALL .HTA APPLICATIONS, AND DELETE THE TROJAN. ------------------------------------------------------------------------------------------------------------------ Revision 2 changes:-> If one dared to play with this remotely, one should probably increase the timeout values. Otherwise, on slow connections the file may not be made. Do not play with this file. ------------------------------------------------------------------------------------------------------------------ What is the godmessage? The godmessage, is basically, an activex trojan. You view the HTML, you are infected with a trojan that will run on reboot. See below for affected systems. (As of today, Oct 08). Read this entire file before even considering viewing the HTML enclosed. The godmessage, once again, like last year's version works off of an Georgi Guninski exploit. This, hopefully, will be the last update to this series. If there are any major/minor bugs due to last minute testing, and wanting to play Quake and never look at this damned code again... then sorry. ------------------------------------------------------------------------------------------------------------------- Co-Authors: Major contributors to this, Six Inch Taint(6IT) and stonefisk. (In alphabetical order). ------------------------------------------------------------------------------------------------------------------- This is a severe update to the godmessage, hence the next version number. Improvements: We ported it to VBS, and cleaned it up a great deal. With VBS horrible features could be added, but weren't. Stealth was greatly improved and speed. -> Speed, the speed of delivery from HTML to HTA was increased about 200%, estimated. The speed from HTA to trojan running, about 500%. (Or, more). -> Stealth. It now completely and consistently deletes all of its' files except for the hta file. The hta file does recreate the trojan. It does not require "command" or "cmd" hence throwing an error on 98 versus NT systems. The HTA size now is about 20% smaller. The cpu usage when viewing the file or running the HTA has dropped a thousand percent. ------------------------------------PROPAGANDIST SOAPBOX---------------------------------------- Do You Really Know What It Means To Be Alive? ----------------------------------------------Technical Support-------------------------------------- Do not expect technical support on this. I do not want people to use it. I do not want people even to open the file to view the HTML, because that will infect you. I simply do not have time to answer questions on this, is the main reason. This is one of the main reasons I put the trojan in it. While it will soon be detected by AV... well, that is just the way things go. There will probably be no updates. I barely had time for this, and it would not have been made without the help of 6IT and Stone Fisk. Foreign users -> Note, you will need to change the path where the file is created to get this to work. For instance, in German/English the startup file is called "autostart". Thanks to "[email protected]" for that. He also recommended compressing lcoder to lose quite a few kb's, and that would be a good idea for the foolhardy person who wishes to hack this script. I am sorry that I was not able to put in all of the requested feature requests. But, it is free code hack away. ------------------------------------------------------------------------------------------------------------ SPECIAL THANKS -> To packetstorm.securify.com , and especially to "Alan" who patiently went through all of my updates I sent him on version III. ---------------------------------------------------------------------------------------------------------- USAGE INSTRUCTIONS-> ------------------------------------------------------------------------------------------- ONE FILE IN HERE:-> godmessageIV.html - view, get rooted. It is a modified tHing 1..6 server without ICQ notification, without hide process (so it will run on NT/w2k). A fellow named splyc took out the ICQ notification which I got from blade's forums. I took out the hide process function because it was not allowing the tHing to run on NT or 2k. The tHing listens on port 7777 and the password is pass. Get the tHing client at http://come.to/soul4blade The progress bar is out of whack with this. Give it a few seconds when uploading and running something. It will have run. WARNING:-> THE AUTHORS DISCLAIM ALL RESPONSIBILITY TO THE USAGE, HANDLING, OR CARE OF THIS PROGRAM. YOU, AS THE PERSON IN POSSESSION OF THIS FILE MUST ACKNOWLEDGE THIS BEFORE EVEN LOOKING AT THE SOURCE CODE OR VIEWING THE FILE. DO NOT VIEW THIS FILE. USAGE HINTS:-> If you want to hack the file to put your own trojan (or whatever) go ahead. Just don't ask me for help. For email or newsgroup postings, it is said, to use a DHTML refresh to a website for fastest results. --------------------------------------------------------------------------------------------- Additional CREDITS - > Georgi Guninski found the bug in the first place. The man is a walking bug finding genius. This project has absolutely no relation to him. Exxtreme, Nicula Laurentiu of eEye (all who helped me with the original godmessage). Sugien - of alt.hackers.malacious, who got me onto the track about hexing files to use in the first place with this, and whose name I forgot in the previous packetstorm/tlsecurity release. Dabbler, aka ChuckX, aka Chuck, aka Sparklen -> who helped test the original and helped make the tHing with Blade. And, I just like to put this guy's name out cause he likes to smoke pot a lot while working on the latest GM motor's processor. Blade, fc, M_R, Ganja51, slim -> the guy's on the tHing team (of whom this project has no association with except that it uses Blade's trojan) "Shoutz Out" - > Okay, "shoutz outs" are stupid. Heh. ;) (----------------------------------------------------------------------------------------------------------) vulnerable Microsoft Internet Explorer 5.5 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 2000 Microsoft Internet Explorer 5.01 + Microsoft Windows 98 + Microsoft Windows 95 + Microsoft Windows NT 4.0 + Microsoft Windows NT 2000 Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000 Microsoft Internet Explorer 4.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 4.0 for Windows NT 3.51 - Microsoft Windows NT 3.5.1 Microsoft Internet Explorer 4.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 4.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 4.0 for Windows 3.1 Microsoft Outlook 97.0 Microsoft Outlook 98 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Microsoft Outlook 2000