by SpaWn
Version 1.0.5 Added NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if is not available; Added Browser Redirection if it is not IE; Modifications to Evil2; Updated Readme.txt and ReadmeIt.txt. ******************************************************* GODWILL for GodMessage IV ******************************************************* Affected System: - Microsoft Windows 9x/ME/NT4/2000 - Internet Explorer 5.5 (for WEB version) - Outlook/Outlook Express (for EMAIL version) Language (actually supported): English/Italian/German/Spanish INTRODUCTION: Assuming conditions are satisfied, GodMessage IV can inject files in a target computer simply viewing, by computer owner, a web html page or an email (also in preview mode). HOW IT WORKS: A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our "godmessaged" page he downloads an HTA file in his STARTUP FOLDER. !Here there is a GREAT trick: in Win9x/ME systems this file is totally hidden even if it's deployed in startup folder! Behind HTA file there is a trojan (but everything could be) in ASCII format. At target machine reboot ASCII format trojan will be compiled in a full working EXE file and executed. At next machine reboot HTA file in startup folder will be deleted thanks to WININIT.INI (previusly created by HTA file itself). LIMITATION: Trojan server injected in GODMESSAGE pages can't be larger than 34kb (html page limit). GODMESSAGE PAGES CREATION: GODWILL give you the power to: - Trasform an existing HTML page in a GODMESSAGE one; - Personalize creation process (for example changing language) by a wizard; - Add an ICQ NOTIFICATION to your trojan server (if it hasn't); - Add an ICQ NOTIFICATION to your infected page (hidden by MouseMovements..); - Add an AUTOSTART FEATURE (by registry key) to your trojan sever (if it hasn't); - Add NO-DIAL-UP-ASKING feature to trojan server; - Create all files needed by GODMESSAGE EMAIL VERSION (there are many differences from WEB version); - Crypt GODMESSAGE pages to avoid AntiVirus detection (but page dimension will doublesize!!!); - Create Evil2 pages (hidden FTP working and LAN sharing); - Compress or expand, by UPX, trojan server before inject it on the GODMESSAGE page (really a UPX GUI!). ***** GODWILL TOOLS DESCRIPTION - HTML Generator Generate infected pages. Requiments: an Input starting page; an EXE trojan server (it will be coded in ASCII format); a name for Output infected page (DON'T USE SAME NAME for Input and OUTPUT). Options: HTA file name; ADD other unsupported languages (inserting correct STARTUP path); AUTOSTART FEATURE (made adding a registry key to victim registry); UNKNOW AUTOSTART FEATURE (like SubSeven); CRYPT infected page and doublesize its dimension; ICQ NOTIFICATION on server (it works only if victim open Internet Explorer when connected); ICQ NOTIFICATION on your infected page; NO HTA end process WINDOW CLOSING (but MSHTA will be visible in TaskMonitor); TIMEOUT settings (leave default timeout if you don't know what are you doing!); INCLUDE an external VBS in HTA (and add an AUTOSTART FEATURE); ADD NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if is not available; PAGE of Browser Redirection if it is not IE. - GODMAIL generator: Creates all files needed to exploit OUTLOOK/OUTLOOK EXPRESS with a Godmessage email: -applet.html -outlookjs.class -godmail.html -or every name you decided -signiture.html (your electronic sign to attach to godmessage emails) Requiments: HTML already infected page; FTP server where upload needed files; HTML output page name. ATTENTION: when you create a godmessage mail remember to: - create it in HTML format - add your signature.hmtl as sign - don't use ftp server with banners (as XOOM) - don't modify names but HTML output page Options: TIMEOUT setting of infected page (and quite invisible) linked by your email. - EvilGOD Create some kind of different GodMessage pages. - Evil2 create a page that waits for Target Internet Connection and then run (HIDDEN WAY!) FTP.exe uploading an exefile (try small ones...max 50kb) and executing it. Requiments: an HTML page; an FTP Server IP address (use ftp.xoom.com...it's better!); USERNAME for FTP; PASSWORD for FTP; an EXE file to upload. - EvilSHARE create a page that SHARE all Target Files in a NETWORK LAN. Only you must insert, to gain control over it, in START MENU\RUN this command line: //computer name/C$ - UPX GUI A personal GUI for this famous packer. !TEST YOUR GODMESSAGED PAGES ONLY IF YOU HAVE UPLOADED IT! Needed files (for GODWILL working): - VB60.dll - Richxt32.ocx - Mscomctl.ocx Versione 1.0.5 - 12/16/2000 ******************************************************* Author: SpaWn - Uin: 83076543 Co-Author/Translator: TheBigBrother - Uin: 41063270 Co-Author: KidArcade - Uin: 30111278 http://godwill.cjb.net [email protected] Thanks to: Georgi Guninski The Pull StoneFisk 6IT Maverik ******************************************************* ADVISES: - I'm waiting for UPDATED SPANISH and GERMAN Traduction of this readme; - I'm waiting for UPDATED SPANISH and GERMAN Traduction of GODWILL program; SEND ME your works, if you want, to [email protected]. - I want to include .CHM exploit by Georgi Guninski; IF YOU HAVE SOME TIPS for this please SEND ME! Thanks, SpaWn-The Big Brother-KidArcade "GODsPATH Security Research"