System33r Socks5 1.2-beta
(Not detected by KAV on March 09, 2008)
(Constructor.Win32.SS.11.b for editor)

by System33r (k0nsl)

Released in October 2004

more versions


System33r Socks5 v1.2-beta by System33r ([email protected])

System33r Socks5 is a socks5 server with a 'trojan'-like behaviour (extremely stable)

Main Features:
- SubSeven CGI Notification
- Installation Routine (copies itself to sysdir/drivers/filename.exe, and adds registry entries)
- If Registry entries are deleted the server adds them again
- deleteself (melt)
- identd
- custom registry key (eg. Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run)
- small size: 4,kb ( 7,kb unpacked)
- included my slightly modified Sub7 CGI Logger
- editor remembers your settings
- it's horribly stable

Added in v1.2:
- option to send LAN notifications, or not send such notifications to the CGI, as requested by some people
- installs itself into the SystemDirectory to the folder 'drivers'
- added a DLL 'payload' which is extracted to the SystemDirectory and runs the socks5 server if not already running
- DLL 'payload' adds itself for autostart as an Explorer Addon (ntldr32.dll)

System33r


Server:
dropped files:
c:\WINDOWS\system32\ntldr32.dll        size: 2.560 bytes 
c:\WINDOWS\system32\drivers\test.exe  size: 5.361 bytes 
 
port: 113 TCP

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Script Host"
data: C:\WINDOWS\System32\drivers\test.exe 
	
tested on Windows XP

MegaSecurity