Spybot 1.1
(Backdoor.Win32.IRCBOT.gen)

by Mich

Written in C, source included

Released in March 2003

more versions 


Spybot1.1 by Mich
Opensource irc bot
				
Features: 

- Keylogger 
Online and offline keylogger the offline keyloggers only works if its set on in the source (settings.h)  
It shows the key that are pressed and the window where the were pressed. Some problems with upper and lowercase sometimes.

- List processes  
Shows al running processes. 
You can kill a process.

- AV/Firewall killer
Kills a program if its name is in the killlist (settings.h)

- DCC Send
You can send a file to the bot with the normal dcc send option in mIRC (only tested it with mIRC6.03 get it from www.mirc.com)

- Get File
Download a file from the bot�s pc I have made a special mIRC script for this (will only work with that script)

- DCC Chat
Just normal dcc chat option in mIRC all commands will also work here, use this if you want do giff a command that has a lot of output most irc servers will disconnect the bot if it sends a lot of data.

- List files
List al files and dirs within your sears query example list c:\windows\*.exe will list al .exe files in the windows dir

- Hostmask match login
When you do the login [password] commands the bot checks if your hostmask matches a hostmask in the trusted hosts list (settings.h). if not you cant login 

- Raw Commands (on connect and onjoin)
Bot reads a list of raw commands when its connected or joins a channel
Example:
On join:
	MODE $CHAN +nts
	MODE $CHAN +k trojanforge
On Connect
	MODE $NICK +I

- Install server and make sure the startupkeys are not removed
Install the server to systemdir and set file attributes to read-only system and hidden, option to melt the server (delete original filename).
The server will check every 30 sec. If the startupkeys are still there if not it will write new ones 
Keys are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

- Computer info
Gives some pc info including ip address
 
- Topic commands
Option to gif the bot a command with the topic (when the bot joins the channel)

- Lists the passwords (only win 9x)
- Execute, delete, rename file And make dir
- Sendkeys 
- Open/close cd-rom
- Reboot pc
- Disconnect for x sec.
- Reconnect
- Quit 
- Raw commands
 




Commands list

Login password
raw [raw command]			(example: raw PRIVMSG #spybot1.1 :hello)
list [path+filter]	  		(example: list c:\*.*)
delete [filename]			(example: delete c:\windows\netstat.exe)
execute [filename]
rename [origenamfile] [newfile]		(example: rename c:\windows\netstat.exe c:\windows\netstatbackup.bak)
makedir [dirname]			(example: makedir c:\test\  )
startkeylogger 				(info: starts onlinekeylogger and output's to the channel\query\dcc chat)
stopkeylogger
sendkeys [keys]				(info: simulates keypresses, to simulate return hit ctrl+b (bold in mIRC) and for backspace ctrl+u (underlined in mIRC))
keyboardlights				(info: flashes his keyboard lights 50x)
info					(info: gives some info)
passwords				(info: lists the ras passwords in win 9x)
listprocesses				(info: lists all running proccesses)
killprocess [processname] 		(example: killprocess taskmgr.exe)   NOTE: if with listprocesses the entire path shows up you must use it with killprocess to)
reconnect
disconnect [sec.]			(info: disconnect the bot for x sec. if sec. is not given it disconnect the bot for 30mins.)
quit					(info: bot quits running)
reboot
cd-rom [0/1]				(info: opens\close cd-rom. cd-rom 1 = open cd-rom 0 = close)



DCC

DCC chat & DCC send works with any normal irc client in mIRC the command is: /dcc chat [nickname] and: dcc send [nickname]
for DCC get you must use the mirc script that is in the zipfile "spybot.mrc"
load it in mirc remotes /load -rs c:\unzipped\spybot1.1\spybot.mrc
and type /dccget [nickname] [filename] example: /dccget victum c:\windows\system\keylogs.dll
the file will be stored in the same dir as the script is 
MAKE SURE THE SAME FILENAME DOESNT EXISTS IN THAT DIR!! if its does exists the script will not warn you it just writes the new file at the end of the old 
the script is not telling you when the filetransfer is completed the bot does that
maybe some day i gonna make some userfriendly script for this :-)




Encryption

Support to encrypt the channel channelpass and loginpass So you can not just hexedit the server and see it in plain text
you must enable this option in spybot1.1.c
to encrypt the date use the mirc script type in mirc: 
/encrypt [encryptkey] [data]
example: /encrypt 81 #spybot
this will output: t��ӿ��
it will copy the encrypted data to your clipboard
make sure the key is the same as the decryptkey in settings.h



Mich


Server:
dropped file:
c:\WINDOWS\SYSTEM\winupdate32.exe 

size: 25.120 bytes 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "Winsock driver" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Winsock
MegaSecurity