Optix Lite 0.2 (a)
(Backdoor.Win32.Optix.02.a)

by th3 r1pp3rz

Written in Delphi

Released in August 2001

more versions



Optix Lite by: th3 r1pp3rz

Programming: th3 s13az3 and xMs



Version 0.2
Pretty Much the same kind of stuff in this update, if you need help with what 
feature does what then just hover your mouse over the button/control that
you want info on and a Hint box will appear.

The main advantages of version 0.2 are that past
bugs have been eradicated.
Especially bugs which disabled you from connecting to the server file after
a broken upload or even after you have disconnected once!

Virus/Firewall library has been updated, mainly concentrating on getting the currently
resisted firewalls & AVS to be terminated in Win2k/NT environment!

A WHOLE extra feature called "Process Manager" has been added,
which allows you to manually close running executables on the remote computer.

Oh yeah, and the ability to run a file has been advanced and you can now toggle
to enable/disable Firewall/AVS killing,ICQNotify and wether or not the
installation server file is melted!

ENJOY!



Version 0.1
Optix Lite is a small uploader trojan that works on Windows 95/98/2K/NT.
The client contains the editor.  The server file comes unpacked.
Use the client/editor to set your settings, save, and use your favorite packer.
You should expect to see a packed server file size of 35-38k.
Once your server file is packed, you cannot modify settings until you unpack.  

Disable firewall/av.
There are several full blown trojans that bypass Firewall/AVs now.
As far as we know, as of 7/01/01, we have created the first
"uploader" trojan to bypass the more popular firewalls/avs.
For a complete list of firewall/avs that Optix Lite defeats, see listing below. 
There is no bypass for this feature at this time.  It's in the server and it will execute.
It does not, however, damage any files on the server.
It only shuts the processes it finds down, THEN allows the server to do it's work.
The firewall/av feature is threaded, and it continues to check to see if any
in it's list have been reloaded every 60 seconds.

File to Upload. 
This is where you select your file to upload.
By default, the check box "Run File on Upload" is checked.
The file is uploaded into the root (C:\) directory of the server and executed.
You will receive notification when file is executed.

Run Remote File.
You must know where the file you want to run is located on the server.
It has nothing to do with the File to Upload feature above.
We added this feature for our own use.  

Fake Error Message.
If you do not want to bind the Optix server file, you can enable this option 
to give a fake error message the first time the server is started up. 
The vic thinks the file encountered an error, and doesn't pay any attention to it,
but in fact, the server actually installs, disables the av/firewall(s) and sends ICQ notification.

Password.
Leave password field blank if you do not wish to use a password.

Our primary goal with Optix Lite was to create a small, stable uploader trojan
with a stealth installation feature that runs stable across all Win32 OS platforms.
We've tested Optix on Win95/98/NT/2K to be sure.

Windows 95 notice:  DO NOT use the Stealth startup method if you think
your server will go to a Windows 95 SR1 machine.
On the early version of Windows 95, our stealth option will not work. 
On all other Windows version, it works very well, and is very well hidden.
No server.exe found in the registry, win.ini, or system.ini.




Currently Resists:

FIREWALLS:
ZoneAlarm
ZoneAlarm Pro
BlackIce
ConSeal PC Firewall
Tiny Personal Firewall
Lockdown2000
LockdownME
Sphinx

AVS:
PC Door Guard 2
PC-Cillan
Trojan Defence Suit 3
AntiViral Toolkit Pro (AVP)
AntiVirus eXpert 2000 Desktop (AVX)
AVG Anti-Virus
Norton AntiVirus
Sophos AntiVirus
Panda Antivirus 6.0 Platinum
Ants
Anti-Trojan
WinRoute
The Cleaner
Dr. Solomon Virus Scan
McAfee Virus Scan


Server:
C:\WINDOWS\SERVER.EXE 

size: 82.432 bytes

port: 5151 TCP

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "RunProg" 

MegaSecurity