DUT
(Trojan.PSW.DUT)

by G3H3NÆ

Compressed with ASPack

Released in may 1999



Dial-Up Trojan ===> coded by G3H3NÆ  '99 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IE5 version
-----------

I´m no responsible for what you do with this software, if your girl-friend gets fucked, 
or if the world ends!! I repeat, I`M NOT RESPONSIBLE!!!

The main purpose of this is to steal the UNIs (User Network Identification),
you know, the password and username to acess the Internet of the victim. 
The trojan is a bogus Dial-up window that imitates the IE5 one,
well you´ll not note the difference!!!

I´m planning to do the IE4 and IE5beta ones but will see about that later!

So, you´ll need to upload some files to the victim computer.
For you to upload the files the program needs to run, the victim needs to be
infected with a backdoor like TheThing (by Blade), Subseven (by mobman),
BO, or Netbus,... with the upload and spawn capabilities!!


** PLEASE READ THIS ALL THIS TEXT BEFORE TRYING THE TROJAN **

It consists in this files:
=-=-=-=-=-=-=-=-=-=-=-=-=-=

- Neededfiles (This are the files you have to upload to his c:\windows\system directory to run  the trojan!) 

- inf.ini [you have to upload this file to his c:\windows\system directory, 
  if you don´t do this the program will not work!!]                                 

- DUT.exe (The trojan)


What the program does:
=-=-=-=-=-=-=-=-=-=-=-=

The best way to understand how it works is to try the trojan in your own box!

When you run the DUT.exe it will make a copy of itself to "c:\windows\system" and
stay resident in memory watching for a connection, if you're online and the number 
of the Day = Minute then the connection will hangup and it would appear the bogus 
dial-up window! Here the victim (if you´re trying yourself, then it would be you) 
would put his Username and Password which will be saved. When it hits "Connect" it
would say "Could not detect modem.It may be in use, turned off, or not installed properly.",
just like the real thing! Then the victim will close the window thinking thats something
wrong with his dial-up connection and try again with the real one! 
(Well, if he doesn´t try thats no problem at all, maybe in the next day he will!) 
The next time the victim connect it will not hang up!!! It will send the emails to
you with  the info: ISP, UseName and Password and delete all the traces of its existence.
If the victim doesn´t fullfilled all the info no e-mail will be sent!
So that you´ll not receive only a username with no password or whatever!
If he doesn´t fullfilled in the Username and Password box and try to go online again it
will not hang up, only if he reboots and  try to connect again!
This way if the victim ignores the window it wouldn´t hang up all the time!

If the victim was infected once by someone he can not be infected again. 
This is because the trojan generates a flag when the e-mails are sent, 
so even if infected again it will not send the e-mails to the other guy!

When the victims box is sending to you the e-mails with the info
(you´ll receive 3 of them,one with the subject "UNI==> Password:" which has the password,
another with the subject "UNI==> UserName:" which has the UserName and another
with the subject "UNI==> ISP" which has his ISP.)
without his notice, (of course! :->), the ctrl-alt-del and alt-esc will not work
so the victim can´t break the tranfer!! :D (nice feature!!).
The trojan has some stealth modes too: it doen´t appear in the tasklist and in the
taskbar when he is in memory!
When the trojan have already sent the e-mails it will wipe all traces of its existence!
And next time the victim reboots it will wipe automatically the main *.exe which is in 
the "c:\windos\system" directory.

 
The file "inf.ini" is very important coz thats where the trojan will go find the info
to where he would send the info he collected: "mail to" and "ISP"! If you open this
file with notepad in the 1st line is the e-mail that the trojan will send the info to,
in the 2nd line is the victim ISP, the ISP is important coz thats the ISP that will 
appear in the bogus dial-up window! So you should know what´s the victim ISP.
So, before you upload this file to his "c:\windows\system" directory change the
e-mail to where you want it send the e-mails (probably your e-mail) and his ISP. 

* Note: you can´t rename inf.ini and you must upload it to "c:\windows\system" !!!



I´ve released an antidote to the trojan (dutwiper.exe) !!
Well, what he does is tell you if your infected or not and if you are he cleans it for you!!



Hope it is usefull , well it is to me!!

G3H3NÆ


Server:
size: 24 KB

startup:
none
MegaSecurity