by SpaWn
Version 1.0.5
Added NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if is not available;
Added Browser Redirection if it is not IE;
Modifications to Evil2;
Updated Readme.txt and ReadmeIt.txt.
*******************************************************
GODWILL for GodMessage IV
*******************************************************
Affected System:
- Microsoft Windows 9x/ME/NT4/2000
- Internet Explorer 5.5 (for WEB version)
- Outlook/Outlook Express (for EMAIL version)
Language (actually supported): English/Italian/German/Spanish
INTRODUCTION:
Assuming conditions are satisfied,
GodMessage IV can inject files in a target computer
simply viewing, by computer owner, a web html page or an email (also in preview mode).
HOW IT WORKS:
A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS.
Thanks to this bug when someone view our "godmessaged" page he downloads an HTA file in his STARTUP FOLDER.
!Here there is a GREAT trick: in Win9x/ME systems this file is totally hidden even if it's deployed in startup folder!
Behind HTA file there is a trojan (but everything could be) in ASCII format.
At target machine reboot ASCII format trojan will be compiled in a full working EXE file and executed.
At next machine reboot HTA file in startup folder will be deleted thanks to WININIT.INI (previusly created by HTA file itself).
LIMITATION:
Trojan server injected in GODMESSAGE pages can't be larger than 34kb (html
page limit).
GODMESSAGE PAGES CREATION:
GODWILL give you the power to:
- Trasform an existing HTML page in a GODMESSAGE one;
- Personalize creation process (for example changing language) by a wizard;
- Add an ICQ NOTIFICATION to your trojan server (if it hasn't);
- Add an ICQ NOTIFICATION to your infected page (hidden by MouseMovements..);
- Add an AUTOSTART FEATURE (by registry key) to your trojan sever
(if it hasn't);
- Add NO-DIAL-UP-ASKING feature to trojan server;
- Create all files needed by GODMESSAGE EMAIL VERSION (there are many
differences from WEB version);
- Crypt GODMESSAGE pages to avoid AntiVirus detection (but page dimension
will doublesize!!!);
- Create Evil2 pages (hidden FTP working and LAN sharing);
- Compress or expand, by UPX, trojan server before inject it on the
GODMESSAGE page (really a UPX GUI!).
***** GODWILL TOOLS DESCRIPTION
- HTML Generator
Generate infected pages.
Requiments:
an Input starting page;
an EXE trojan server (it will be coded in ASCII format);
a name for Output infected page
(DON'T USE SAME NAME for Input and OUTPUT).
Options:
HTA file name;
ADD other unsupported languages (inserting correct STARTUP path);
AUTOSTART FEATURE (made adding a registry key to victim registry);
UNKNOW AUTOSTART FEATURE (like SubSeven);
CRYPT infected page and doublesize its dimension;
ICQ NOTIFICATION on server (it works only if victim open Internet Explorer
when connected);
ICQ NOTIFICATION on your infected page;
NO HTA end process WINDOW CLOSING (but MSHTA will be visible in
TaskMonitor);
TIMEOUT settings (leave default timeout if you don't know what are you
doing!);
INCLUDE an external VBS in HTA (and add an AUTOSTART FEATURE);
ADD NO DIAL-UP ASKING of trojan server FOR INTERNET CONNECTION if
is not available;
PAGE of Browser Redirection if it is not IE.
- GODMAIL generator:
Creates all files needed to exploit OUTLOOK/OUTLOOK EXPRESS with a Godmessage email:
-applet.html
-outlookjs.class
-godmail.html -or every name you decided
-signiture.html (your electronic sign to attach to godmessage emails)
Requiments:
HTML already infected page;
FTP server where upload needed files;
HTML output page name.
ATTENTION:
when you create a godmessage mail remember to:
- create it in HTML format
- add your signature.hmtl as sign
- don't use ftp server with banners (as XOOM)
- don't modify names but HTML output page
Options:
TIMEOUT setting of infected page (and quite invisible) linked by your email.
- EvilGOD
Create some kind of different GodMessage pages.
- Evil2 create a page that waits for Target Internet Connection and then
run (HIDDEN WAY!) FTP.exe uploading an exefile (try small ones...max 50kb) and executing it.
Requiments:
an HTML page;
an FTP Server IP address (use ftp.xoom.com...it's better!);
USERNAME for FTP;
PASSWORD for FTP;
an EXE file to upload.
- EvilSHARE create a page that SHARE all Target Files in a NETWORK LAN.
Only you must insert, to gain control over it, in START MENU\RUN this
command line:
//computer name/C$
- UPX GUI
A personal GUI for this famous packer.
!TEST YOUR GODMESSAGED PAGES ONLY IF YOU HAVE UPLOADED IT!
Needed files (for GODWILL working):
- VB60.dll
- Richxt32.ocx
- Mscomctl.ocx
Versione 1.0.5 - 12/16/2000
*******************************************************
Author: SpaWn - Uin: 83076543
Co-Author/Translator: TheBigBrother - Uin: 41063270
Co-Author: KidArcade - Uin: 30111278
http://godwill.cjb.net
[email protected]
Thanks to:
Georgi Guninski
The Pull
StoneFisk
6IT
Maverik
*******************************************************
ADVISES:
- I'm waiting for UPDATED SPANISH and GERMAN Traduction of this readme;
- I'm waiting for UPDATED SPANISH and GERMAN Traduction of GODWILL program;
SEND ME your works, if you want, to [email protected].
- I want to include .CHM exploit by Georgi Guninski;
IF YOU HAVE SOME TIPS for this please SEND ME!
Thanks,
SpaWn-The Big Brother-KidArcade
"GODsPATH Security Research"