by Coban2k
Released in October 2003
Made in Russia
Features: - ICQ99b-2003a/Lite/ICQ2003Pro - Miranda-icq - Trillian ICQ&AIM - &RQ - The Bat!, The Bat! 2 (mailer) - Outlook/Outlook Express (pop3/imap) - IE autocomplete & protected sites & ftp (9x/Me/2k/xp supported) - FAR Manager (ftp) - Win/Total Commander (ftp) - RAS (9x/Me/2k/xp supported) - System info: OS, memory, CPU, hard drives, logged user, host name, IP - Key-log - Remote console - Firewall bypass - Sends e-mail using SMTP server - E-mail messages are encrypted (if an attacker will steal your e-mail account he will not be able to see received passwords) - Deleting itself (optional) - HTML/Text reports - Size of executable about 10Kb (don't tell me that it's impossible :P) - Module system, some modules can be excluded to reduce the output size - More features on your request ------------------------------------------------------------------------------- Directory list: 1. Sources\HTTP - sources of cgi-gate which let you build an exe file from web (w32 + Apache required). HTML page sources are in Russian language, also it was configured to run on my machine (paths, etc), so you have to modify sources manually. 2. Sources\ParserOnly - sources of pinch parser (decryptor) w/o configurator. 3. Pinch - main asm sources + masm32 compilator 4. Sources\PinchBuilder - sources of pinch parser + configurator. 5. Sources\TB! - parsing plugin for The Bat 2! (mailer) (it decrypts messages on the fly, while receiving). 6. Sources\Script - a script which is used on the HTTP server, required for bypassing firewalls. ------------------------------------------------------------------------------- Run PinchBuilder.exe to compile a new version of trojan, always check SMTP server before compilation. Run Parser.exe to decrypt incoming messages. ------------------------------------------------------------------------------- Q: Why it's so small? A: Pinch doesn't actually decrypts passwords, it just retrieves hashes, after they are decrypted using Pinch Parser (Parser.exe). ------------------------------------------------------------------------------- Q: Bypassing firewalls (zonealarm, outpost, etc)? A: There's a posibility to bypass firewalls using hidden IE window. In this case Pinch will require an additional HTTP server to send passwords to. You have to build Pinch with 'HTTP protocol' option enabled, take a look at view.php file from 'script' folder for a script example. Coban2k Server: dropped file: c:\WINDOWS\PINCH.EXE size: 8.944 bytes startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "putil"MegaSecurity