MSN Spy Lite 1.1
(Trojan-Spy.Win32.VB.hi)

by starlight2003

Written in Visual Basic

Released in May 2005

more versions 


-----------------------
MSN Spy Lite v1.1
For MSN 6.x and 7.0
by starlight2003
22/05/05
-----------------------

Logs the following details and saves them to localhost:

- Email Address
- Nickname
- User status
- Unread Mails
- Service ID
- Received Files Dir
- Contact List
- Contact History

This program is intended for use with remote access only,
that's the main reason logs are only saved locally.


Changes:
- Fixed timestamps so they should display correctly now.
- Added a new stub with simple logging method.
- Using only one startup, was causing server to start two times and crashing.
- Cleaned up logging method in stub1 - clearer to view logs now.
- Fixed a bug in server builder that caused builder to only load one stub.


Server Builder:

- Install Name:   	Filename to install in sysdir, (leave out extention).
- Reg Value:      	Reg value to create for startup.
- Log Folder:    	Folder to create in <sysdir> to save logs.

                  	Logs are saved in following two files, which means
                  	you only need to download two files periodically
                  	with your favourite trojan horse.

Stub1:			Logs all details in two separated files:
			msnlog.log               [contains all conversation logs]
			contacts.log             [contains all user contacts]

Stub2:                  This stub logs only conversations in a simple format and
                  	creates log files based on remote conversation email address:
			[email protected] [contains users conversation logs]

- Settings are encrypted.

- How to remove:
  Delete <regvalue> you specified in registry by searching for it.
  Delete <sysdir>\<install name> you specified.
  Delete <sysdir>\<log> folder you specified.

- Known bugs:
  On some MSN versions you get empty contact list and contact history,
  this sometimes happens if user closes IM Window without any message.

Tested on WinXP.

starlight2003


Server:
dropped files:
c:\WINDOWS\system32\%trojan name%.exe    Size: 16,451 bytes 
c:\WINDOWS\system32\sysdir\contacts.log
c:\WINDOWS\system32\sysdir\msnlog.log

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "123"
data: C:\WINDOWS\System32\abc.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MSMSGS"
data: "C:\Program Files\Messenger\msmsgs.exe" /background 



tested on Windows XP
June 05, 2005
MegaSecurity