by SpaWn
******************************************************************************** GODWILL for GodMessage IV ******************************************************************************** !TEST YOUR GODMESSAGED PAGES ONLY IF YOU HAVE UPLOADED IT! Affected System: - Microsoft Windows 9x/ME/NT4/2000 - Internet Explorer 5.5 (for WEB version) - Outlook/Outlook Express (for EMAIL version) Language (actually supported): English/Italian/German INTRODUCTION: Assuming conditions are satisfied, GodMessage IV can inject files in a target computer simply viewing, by computer owner, a web html page or an email (also in preview mode). HOW IT WORKS: A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our "godmessaged" page he downloads an HTA file in his STARTUP FOLDER. !Here there is a GREAT trick: in Win9x/ME systems this file is totally hidden even if it's deployed in startup folder! Behind HTA file there is a trojan (but everything could be) in ASCII format. At target machine reboot ASCII format trojan will be compiled in a full working EXE file and executed. At next machine reboot HTA file in startup folder will be deleted thanks to WININIT.INI (previusly created by HTA file itself). LIMITATION: Trojan server injected in GODMESSAGE pages can't be larger than 34kb. GODMESSAGE PAGES CREATION: GODWILL give you the power to: - Trasform an existing HTML page in a GODMESSAGE one; - Personalize creation process (for example changing language) by a wizard; - Add an ICQ NOTIFICATION to your trojan server (if it hasn't); - Add an ICQ NOTIFICATION to your infected page; - Add an AUTOSTART FEATURE (by registry key) to your trojan sever (if it hasn't); - Add an UNKNOW (like SubSeven) AUTOSTART FEATURE to your trojan server; - Create all files needed by GODMESSAGE EMAIL VERSION (there are many differences from WEB version); - Crypt GODMESSAGE pages to avoid AntiVirus detection (but page dimension will doublesize!!!); - Add personal VBS code to execute additional commands of your choise (only 1kb added); - Compress or expand, by UPX, trojan server before inject it on the GODMESSAGE page (really a UPX GUI!). ** GODWILL TOOLS DESCRIPTION ** - HTML Generator Generate infected pages. Requiments: an Input starting page; an EXE trojan server (it will be coded in ASCII format); a name for Output infected page (DON'T USE SAME NAME for Input and OUTPUT). Options: HTA file name; ADD other unsupported languages (inserting correct STARTUP path); AUTOSTART FEATURE (made adding a registry key to victim registry); UNKNOW AUTOSTART FEATURE (like SubSeven); CRYPT infected page and doublesize its dimension; ICQ NOTIFICATION on server (it works only if victim open Internet Explorer when connected); ICQ NOTIFICATION on your infected page; NO HTA end process WINDOW CLOSING (but MSHTA will be visible in TaskMonitor); TIMEOUT settings (leave default timeout if you don't know what are you doing!); INCLUDE VbsSpecial.vbs in HTA (and add a n AUTOSTART FEATURE). - GODMAIL generator: Creates all files needed to exploit OUTLOOK/OUTLOOK EXPRESS with a Godmessage email: -applet.html -outlookjs.class -godmail.html -or every name you decided -signiture.html (your electronic sign to attach to godmessage emails) Requiments: HTML already infected page; FTP server where upload needed files; HTML output page name. ATTENTION: when you create a godmessage mail remember to: - create it in HTML format - add your signature.hmtl as sign - don't use ftp server with banners (as XOOM) - don't modify names but HTML output page Options: TIMEOUT setting of infected page (and quite invisible) linked by your email. - UPX GUI A personal GUI for this famous packer. Versione 1.0.1 ******************************************************* Author: SpaWn - Uin: 83076543 Co-Author/Translator: TheBigBrother - Uin: 41063270 Debugger/Beta tester: KidArcade - Uin: 30111278 http://godwill.cjb.net [email protected] Thanks to: Georgi Guninski The Pull StoneFisk 6IT Maverik ********************************************************************************