KaoTan FWB 2.0
(TrojanDownloader.Win32.Kotan)

by Faiseur

Written in ASM

Released in April 2004

Made in Switzerland

more versions



-------------------------------------------------------------------------------
How it Works
-------------------------------------------------------------------------------

KaoTan is a Firewall Bypass Webdownloader designed for a maximum access to a system. Here are its features :

- You can download up to 2 files

- Injection modes :
a. No injection ( standard connection )
b. Browser injection
c. Explorer injection
d. Trillian/MSN injection

- Download check, in case it fails ...


- 3 directories where the downloaded files can be saved :
a. Windows
b. Temp
c. System

- You can set up a timer, thus delaying the execution :
a. Off
b. 30 seconds
c. 1 minute
d. 5 minutes

- The server can melt, once ran

- Critical data such as the URL to the file to download, or the names of the .exe, are encrypted

- Compatible Win98/ME/NT/2K/XP


Compared to v1, KaoTan v2 has :
- Win98/ME compatibility
- Download check (further detailed later)

-------------------------------------------------------------------------------
Configuration
-------------------------------------------------------------------------------

The Edit Server has two sides. On the "server" side, enter the exact URL to the files you want to download,
and the name they'll be renamed to, once saved on the computer. Tick the "URL 2 OFF" box, if you only want one file to be downloaded.

On the "Options" side, you can :


- Choose the type of injection you want :
a. No injection ( standard connection )
b. Browser injection
c. Explorer injection
d. Trillian/MSN injection

- Choose if the server should melt, once ran

- Set up a timer :
a. Off
b. 30 seconds
c. 1 minute
d. 5 minutes

- Choose the directory where the downloaded files will be saved :
a. Windows
b. Temp
c. System

- Give a look to the "About"


Notice that the edit server saves your preferences.


------------------------------------------------------------------------------

- If you choose the Browser injection :
1. KaoTan will first check if a browser is currently running, in order to inject itself. This passive method is the stealthest one.

2. If no (known) browser is running, it will check for the default system browser, run it hiddenly, and inject itself in it.

3. If, for any reason, no browser can be ran, KaoTan will run Internet Explorer in hidden mode, and inject itself.

4. If Internet Explorer cannot be ran, then KaoTan will switch itself to trillian/msn injection mode.


- If you choose the Trillian/MSN injection :
1. KaoTan will first check if MSN is running, for a passive injection.

2. If it isn't running, it will check for Trillian.

3. If Trillian isn't running either, then KaoTan will launch MSN, in hidden mode, and use if for injection.

4. If, for any reason, MSN cannot be ran, KaoTan will switch itself to browser injection mode.

- KaoTan works with older versions of MSN.
eg : v4.7, installed by default on WinXP, 5.0 or the latest version, v6.1, which process is different.

By now, you should have understood that the choice of the injection mode is nothing but a choice of priority.
Those two modes ( Trillian-MSN, and Browser ) are quite secure, by switching to the other one in case of problem.

- Download check in case of problem :
KaoTan v2 has a new download verification system, switched on AFTER injection. It may happen (who knows ?) that the download is blocked by a Firewall. It would be quite strange, using a Browser injection, but still it's possible.
Anyway, if the first download fails, KaoTan will terminate itself, and reload, using a different injection. This is the protocole used :

1. If the "no injection" ( standard ) mode fails, KaoTan will try a "Browser" injection...

2. If the "Browser" mode fails, KaoTan will try a "explorer" injection...

3. If the "explorer" mode fails, KaoTan will try a "Trillian/MSN" injection...

4. If the Trillian/MSN mode fails, KaoTan will try a "no injection"...

Etc !


-------------------------------------------------------------------------------
About
-------------------------------------------------------------------------------


- KaoTan 2.0 is coded in pure Assembly, and uses a dll injection ( thanx Aphex ) that should not be detected while injecting.

- KaoTan 2.0 is compatible Win98/Me.

- Do not use this program in illegal ways. Just understand that you are responsible for any damage you cause on computers you do not own.

- Big thank you to the UndergroundKonnekt Team. And Bioacide, StafraK and Wizard. English translation of the readme : Lucifer0000.

Faiseur


Server:
size: 12.288 bytes

MegaSecurity