GodWill 1.0.5
(Contructor.GodWill.105)

by SpaWn

 
Version 1.0.5
Added NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if is not available;
Added Browser Redirection if it is not IE;
Modifications to Evil2;
Updated Readme.txt and ReadmeIt.txt.

*******************************************************
GODWILL for GodMessage IV
*******************************************************

Affected System:
- Microsoft Windows 9x/ME/NT4/2000
- Internet Explorer 5.5 (for WEB version)
- Outlook/Outlook Express (for EMAIL version)
Language (actually supported): English/Italian/German/Spanish

INTRODUCTION:
Assuming conditions are satisfied,
GodMessage IV can inject files in a target computer
simply viewing, by computer owner, a web html page or an email (also in preview mode).

HOW IT WORKS:
A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS.
Thanks to this bug when someone view our "godmessaged" page he downloads an HTA file in his STARTUP FOLDER.
!Here there is a GREAT trick: in  Win9x/ME systems this file is totally hidden even if it's deployed in startup folder!
Behind HTA file there is a trojan (but everything could be) in ASCII format.
At target machine reboot ASCII format trojan will be compiled in a full working EXE file and executed.
At next machine reboot HTA file in startup folder will be deleted thanks to WININIT.INI (previusly created by HTA file itself).

LIMITATION:
Trojan server injected in GODMESSAGE pages can't be larger than 34kb (html
page limit).

GODMESSAGE PAGES CREATION:
GODWILL give you the power to:
- Trasform an existing HTML page in a GODMESSAGE one;
- Personalize creation process (for example changing language) by a wizard;
- Add an ICQ NOTIFICATION to your trojan server (if it hasn't);
- Add an ICQ NOTIFICATION to your infected page (hidden by MouseMovements..);
- Add an AUTOSTART FEATURE (by registry key) to your trojan sever 
  (if it hasn't);
- Add NO-DIAL-UP-ASKING feature to trojan server;
- Create all files needed by GODMESSAGE EMAIL VERSION (there are many 
  differences from WEB version);
- Crypt GODMESSAGE pages to avoid AntiVirus detection (but page dimension
  will doublesize!!!);
- Create Evil2 pages (hidden FTP working and LAN sharing);
- Compress or expand, by UPX, trojan server before inject it on the 
  GODMESSAGE page (really a UPX GUI!).

***** GODWILL TOOLS DESCRIPTION

- HTML Generator
  Generate infected pages.
Requiments:
  an Input starting page;
  an EXE trojan server (it will be coded in ASCII format);
  a name for Output infected page
   (DON'T USE SAME NAME for Input and OUTPUT).
Options:
  HTA file name;
  ADD other unsupported languages (inserting correct STARTUP path);
  AUTOSTART FEATURE (made adding a registry key to victim registry);
  UNKNOW AUTOSTART FEATURE (like SubSeven);
  CRYPT infected page and doublesize its dimension;
  ICQ NOTIFICATION on server (it works only if victim open Internet Explorer
   when connected);
  ICQ NOTIFICATION on your infected page;
  NO HTA end process WINDOW CLOSING (but MSHTA will be visible in 
   TaskMonitor);
  TIMEOUT settings (leave default timeout if you don't know what are you 
   doing!);
  INCLUDE an external VBS in HTA (and add an AUTOSTART FEATURE);
  ADD NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if 
   is not available;
  PAGE of Browser Redirection if it is not IE.


- GODMAIL generator: 
  Creates all files needed to exploit OUTLOOK/OUTLOOK EXPRESS with a   Godmessage email:
   -applet.html
   -outlookjs.class
   -godmail.html -or every name you decided
   -signiture.html (your electronic sign to attach to godmessage emails)
Requiments:
  HTML already infected page;
  FTP server where upload needed files;
  HTML output page name.
ATTENTION:
  when you create a godmessage mail remember to:
  - create it in HTML format
  - add your signature.hmtl as sign
  - don't use ftp server with banners (as XOOM)
  - don't modify names but HTML output page
Options:
  TIMEOUT setting of infected page (and quite invisible) linked by your email.


- EvilGOD
  Create some kind of different GodMessage pages.
  
  - Evil2 create a page that waits for Target Internet Connection and then
    run (HIDDEN WAY!) FTP.exe uploading an exefile (try small ones...max         50kb) and executing it.
Requiments:
  an HTML page;
  an FTP Server IP address (use ftp.xoom.com...it's better!);
  USERNAME for FTP;
  PASSWORD for FTP;
  an EXE file to upload.
   
   - EvilSHARE create a page that SHARE all Target Files in a NETWORK LAN.
     Only you must insert, to gain control over it, in START MENU\RUN this 
     command line:
     //computer name/C$ 


- UPX GUI
  A personal GUI for this famous packer.



!TEST YOUR GODMESSAGED PAGES ONLY IF YOU HAVE UPLOADED IT!
Needed files (for GODWILL working):
- VB60.dll
- Richxt32.ocx
- Mscomctl.ocx

Versione 1.0.5 - 12/16/2000

*******************************************************

Author: SpaWn - Uin: 83076543
Co-Author/Translator: TheBigBrother - Uin: 41063270
Co-Author: KidArcade - Uin: 30111278

http://godwill.cjb.net
[email protected]

Thanks to:
Georgi Guninski
The Pull
StoneFisk
6IT
Maverik

*******************************************************

ADVISES:

- I'm waiting for UPDATED SPANISH and GERMAN Traduction of this readme;
- I'm waiting for UPDATED SPANISH and GERMAN Traduction of GODWILL program;

SEND ME your works, if you want, to [email protected].

- I want to include .CHM exploit by Georgi Guninski;

IF YOU HAVE SOME TIPS for this please SEND ME!

Thanks,
SpaWn-The Big Brother-KidArcade

"GODsPATH Security Research"


GodWill

FAQ

MegaSecurity