by Ventaja
Written in Visual Basic
Released in January 2002
Slim Horse is a R.A.T. (remote administration tool) that mainly works under the ICMP procotol, this version is a NON-INTERFACE one, but it have a lot of strenght options. The DCC GET/SEND works under the TCP protocol. All the functions parameters are parsed with "*", must start with "*" and at least have two "*". Files : 1)Client.exe (141KB) : used to administrate a remote host infected. 2)Server.exe (145KB): the names says it all. 3)ServerSetup.exe (19KB) : configurate de automatic notification and bind a file to the server. Function PING Description : used to know is a host is infected and still alive. Parameters : *PING* Response : *PONG Function INFO Description : returns info about the os version, windows directories, computer name, processor and more. Parameters : *INFO* Response : OS: Windows 9x/Me ...... Function PASS Description : used to identify to the host. Parameters : *PASS*Password Response : Password accepted, you are inside or none Function NEWPASS Description : used to set the password. Parameters : *NEWPASS*Password Response : none Function OPENCD Description : ejects cd. Parameters : *OPENCD* Response : None Function CLOSECD Description : close cd. Parameters : *CLOSECD* Response : None Function URL Description : open the specified url. ALWAYS USE HTTP:// Parameters : *URL*http://www.mysite.com Response : None Function SHELL Description : execute with the associated program the specified file. Parameters : *SHELL*c:\music\aerosmith - mama kin.mp3 Response : None Function RUN Description : execute the specified executable. Parameters : *RUN*c:\windows\notepad.exe Response : None Function SHOWPIC Description : shows the specified image file on top most. Parameters : *SHOWPIC*c:\images\martina hings4.jpg Response : None Function HIDEPIC Description : hide the previous shown image. Parameters : *HIDEPIC* Response : None Function SHUTDOWN Description : shutdowns the computer. Parameters : *SHUTDOWN* Response : None Function REBOOT Description : reboots the computer. Parameters : *REBOOT* Response : None Function LOGOFF Description : logs off from the actual windows session. Parameters : *LOGOFF* Response : None Function EMENU Description : enumerates the main menus of a window. Parameters : *EMENU*HWND* Response : Menus of 220 224 &File 228 &Tools 232 &DCC 304 [ &Menu Legman's Script ] 236 &Window 244 &Help 0 __________________________________________________ Function ESUB Description : enumerates the submenus of a menu. Parameters : *ESUB*hMenu* Response : SubMenus of &Send... Alt+S 0 &Send... Alt+S 0 &Chat... Alt+C 0 0 &Options... 0 __________________________________________________ Function SMENU Description : sets the text of a submenu. Parameters : *SMENU*MENU*ITEM*TEXT* Response : none Function EWIN Description : enumerates the windows of the remote host, works like TaskManager unless you specify a second parameter. Parameters : *EWIN* Response : "Windows Enumeration Started" Hwnd (Window Title) Hwnd (Window Title) etc "Windows Enumeration Finished" Function ECHILD Description : enumerates the child windows of the parent window specified. Parameters : *ECHILD*PARENT (0 for desktop)* Response : "Child Enumeration Started" Hwnd (Window Title) Hwnd (Window Title) etc "Child Enumeration Finished" Function ACTIVE Description : activates the specified windows by hwnd. Parameters : *ACTIVE*Hwnd* Response : none Function HIDE Description : makes invisible the specified windows by hwnd. Parameters : *HIDE*Hwnd* Function SHOW Description : makes visible the specified windows by hwnd. Parameters : *SHOW*Hwnd* Function CLOSE Description : closes the specified windows by hwnd. Parameters : *CLOSE*Hwnd Response : none Function STATE Description : returns Left, Top, Height, Width and show state of the window handle. Parameters : *STATE*Hwnd* Response : Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away Left -4 Top -4 Width 808 Height 580 Visible=True Maximized Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away Function WINDOW Description : returns info about the window of a handle. Use index to Listbox, Combobox and other special control items. Parameters : *WINDOW*Hwnd*Index Response : Hwnd Class Text Function PARENT Description : returns info about the parent window of a handle. Parameters : *PARENT*Hwnd Response : Hwnd Class Text Function SETTEXT Description : changes the text of a caption or control. Parameters : *SETTEXT*HWND*TEXT Function ADDITEM Description : add a item to a Listbox or a Combobox. Parameters : *ADDITEM*Hwnd*Text Response : none Function DELITEM Description : delete a item to a Listbox or a Combobox. Parameters : *DELITEM*Hwnd*Item_Number Response : none Function SCROLL Description : makes a scrollbar to scroll the percent scpecified. Parameters : *SCROLL*HWND*PERCENT Function ECLASS Description : finds the specified class in all the child windows of a Hwnd, 0 for Desktop. Parameters : *ECLASS*CLASSNAME*START_HWND Response : all classes that match. Function FCLASS Description : finds the specified class in all the top level windows. Parameters : *FCLASS*CLASSNAME Response : all classes that match. Function CLICK Description : clicks the specified button. Parameters : *CLICK*HWND Response : none Function DESKTOP Description : shows desktop. Parameters : *DESKTOP* Response : none Function EPROC Description : returns all the process running on the server side with the filename that opens it and with the main window if its visible. Parameters : *EPROC* Response : returns all the process running on the server side with the filename that opens it and with the main window if its visible. Function CPROC Description : terminate the specified process. Parameters : *CPROC*ProcessID* Response : terminated/failed. Function ETHR Description : shows all the threads of a process. Parameters : *ETHR*ProcessID* Response : the threads. Function REG Description : registers a process as a service (dont show anymore when alt+ctrl+del is pressed). Parameters : *REG*ProcessID* Response : done Function UNREG Description : unregisters a process as a service (shows again when alt+ctrl+del is pressed). Parameters : *UNREG*ProcessID* Response : done Function DRIVES Description : enumerate all the logical drives of the remote host. Parameters : *DRIVES* Response : Avaible Drives : A C D E F G Function DRIVEINFO Description : returns disk type, label and free space. Parameters : *DRIVEINFO*E:\ Response : CD-Rom Function DIR Description : returns the directory files and subdirectories. Parameters : *DIR**.EXE (yeah, a little weird) or *DIR* Response :MegaSecurityFILE Total files Total size Total dirs Function CD Description : change the actual directory. Parameters : *CD* ..* *CD*NEWDIR* *CD* \* Respone : actual path. Function DRIVE Description : change the actual drive. Parameters : *DRIVE*C* *DRIVE*A* Response : actual path. Function LP Description : returns the actual path. Parameters : *LP* Response : C:\DEAD\TIME\ Function SP Description : sets the actual path. Parameters : *SP*C:\ROCK\TIME Response : none Function PATH Description : returns the path of the server. Parameters : *PATH* Response : C:\im\stupid\server.exe Function TYPE Description : returns the text of a file Parameters : *TYPE*C:\passwords.txt Response : "File Start" file contents. "File End" Function GET Description : used to download a file. Parameters : *GET*PATH & FILENAME *GET*FILENAME (ACTUAL PATH IS USED) Response : the file. Resume is supported, is the transfers close early you can put the get function again and it will ask if you wanna resume, overwrite or rename. FEATURE IS ONLY USED ON CLIENT SIDE. Function PUT Description : used to upload a file. Parameters : *PUT*PATH & FILENAME*REMOTE_PATH *PUT*PATH & FILENAME (ACTUAL PATH IS USED) Response : the file. Function SETPOS Description : moves the mouse the position that you want. Parameters : *SETPOS*X*Y Response : none. Function SENDKEYS Description : send the keys that you want to the active window. Parameters : *SENDKEYS*HWND*TEXT Response : none Function DUMP Description : returns a get file from the a screenshot. Parameters : *DUMP*0-2*0-2* The first parameter is the size, 0=100%, 1=75%, 2=50%. The second parameter is the color, 0=16 colors,1=greyscale of 256 colors,3=True color Response : dump.bmp Function IGMP Description : sends igmp packets. Parameters : *IGMP*IP*TIMES*SIZE* Response : packets send. Function BOMB Description : sends icmp ping packets. Parameters : *BOMB*IP*TIMES*SIZE* Response : packets send. Function TYPE13 Description : sends icmp timestamp packets. Parameters : *TYPE13*IP*TIMES*SIZE* Response : packets send. Ventaja Server: size: 149.504 bytes dropped files: c:\WINDOWS\speed.exe c:\WINDOWS\temp.exe c:\WINDOWS\RUNDLL32.EXE startup: none