********************************************************************************
GODWILL for GodMessage IV
12/01/2000
********************************************************************************

Affected System:
- Microsoft Windows 9x/ME/NT4/2000
- Internet Explore 5.5 (for WEB version)
- Outlook/Outlook Express (for EMAIL version)
Language (actually supported): English/Italian/German

INTRODUCTION:
Assuming conditions are satisfied,
GodMessage IV can inject files in a target computer
simply viewing, by computer owner, a web html page or an email (also in preview mode).

HOW IT WORKS:
A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS.
Thanks to this bug when someone view our "godmessaged" page he downloads an HTA file in his STARTUP FOLDER.
!Here there is a GREAT trick: in  Win9x/ME systems this file is totally hidden even if it's deployed in startup folder!
Behind HTA file there is a trojan (but everything could be) in ASCII format.
At target machine reboot ASCII format trojan will be compiled in a full working EXE file and executed.
At next machine reboot HTA file in startup folder will be deleted thanks to WININIT.INI (previusly created by HTA file itself).

LIMITATION:
Trojan server injected in GODMESSAGE pages can't be larger than 34kb.

GODMESSAGE PAGES CREATION:
GODWILL give you the power to:
- Trasform an existing HTML page in a GODMESSAGE one;
- Personalize creation process (for example changing language) by a wizard;
- Add an ICQ NOTIFICATION to your trojan server (if it hasn't);
- Add an ICQ NOTIFICATION to your infected page;
- Add an AUTOSTART FEATURE (by registry key) to your trojan sever 
  (if it hasn't);
- Add an UNKNOW (like SubSeven) AUTOSTART FEATURE to your trojan server;
- Create all files needed by GODMESSAGE EMAIL VERSION (there are many 
  differences from WEB version);
- Crypt GODMESSAGE pages to avoid AntiVirus detection (but page dimension
  will doublesize!!!);
- Add personal VBS code to execute additional commands of your choise
  (only 1kb added);
- Compress or expand, by UPX, trojan server before inject it on the 
  GODMESSAGE page (really a UPX GUI!).

** GODWILL TOOLS DESCRIPTION **

- HTML Generator
  Generate infected pages.
Requiments:
  an Input starting page;
  an EXE trojan server (it will be coded in ASCII format);
  a name for Output infected page
   (DON'T USE SAME NAME for Input and OUTPUT).
Options:
  HTA file name;
  ADD other unsupported languages (inserting correct STARTUP path);
  AUTOSTART FEATURE (made adding a registry key to victim registry);
  UNKNOW AUTOSTART FEATURE (like SubSeven);
  CRYPT infected page and doublesize its dimension;
  ICQ NOTIFICATION on server (it works only if victim open Internet Explorer
   when connected);
  ICQ NOTIFICATION on your infected page;
  NO HTA end process WINDOW CLOSING (but MSHTA will be visible in 
   TaskMonitor);
  TIMEOUT settings (leave default timeout if you don't know what are you 
   doing!);
  INCLUDE VbsSpecial.vbs in HTA (and add a n AUTOSTART FEATURE).

- VBS Editor:
  Include a VBS (called VbsSpecial.vbs) file in HTA file.
  This editor give VBS coders the chance to create it and add every kind of
  actions.    

- GODMAIL generator: 
  Creates all files needed to exploit OUTLOOK/OUTLOOK EXPRESS with a   Godmessage email:
   -applet.html
   -outlookjs.class
   -godmail.html -or every name you decided
   -signiture.html (your electronic sign to attach to godmessage emails)
Requiments:
  HTML already infected page;
  FTP server where upload needed files;
  HTML output page name.
ATTENTION:
  when you create a godmessage mail remember to:
  - create it in HTML format
  - add your signature.hmtl as sign
  - don't use ftp server with banners (as XOOM)
  - don't modify names but HTML output page
Options:
  TIMEOUT setting of infected page (and quite invisible) linked by your email.

- UPX GUI
  A personal GUI for this famous packer.


Versione 1.0

********************************************************************************

Author: SpaWn
Co-Author/Translator: TheBigBrother

Debugger/Beta tester: KidArcade

http://godwill.cjb.net
[email protected]

Thanks to:
Georgi Guninski
The Pull
StoneFisk
6IT
Maverik

********************************************************************************