Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Hacking Techniques :: trojan~1.txt

Information on detecting various trojans

* Socket de Troie 
->Poeple infected by this, are somewhat fucked up because it also
carries Script.ini (Worm) The Trojan is actually a virus also, it
infects all EXE's on the Harddrive making it nearly impossible to remove
w/o using an AV software.

*Netbus 1.6 + 1.7

->Netbus 1.6's Password is breakable, the script will change the Pass to
Letmein, so you can connect and remove the trojan from the victim.
Netbus 1.7's is NOT breakable so you'll have to let the Victim remove it
himself.(See Removing instructions)
BTW the port in NB 1.7 isn't always the same and can be changed

* Rare version of Netbus 2 pro 

->Netbus 2 pro is not as easy to setup as 1.6 or 1.7 was, so someone
made an Installation Programm setting it up autostarting AND running
invisible. Runs on specific Port.

1.4 Removing Instructions AND Hints

* Master of Paradise (recognized by AVP) Not the modified

->Does not restart automaticaly.

*Original Server Puts a neat Icon In the Tray , while the modified version puts
an NULL icon in the Tray, which means it looks like a space between original 
icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't
look suspicious.

*Original Server Exe is exactly 327.680 bytes.
*Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)

* Back Orifice (recognized by AVP)

->The Father of all GUI Trojans usually the key is:

-> Standard Value .exe *There is a space before the .exe
2)When used With SilkRope the key is something like
-> 412124.TMP Value=412124.TMP *Wierd numbers with the ending TMP.
* Original Boserve.exe is exactly 124.928 Bytes
With BT Plugin it is something around 193.149 Bytes
Crypted Verion called Infector is 184.832 Bytes
Size may vary due to lot of plugins

* Deep Thoat 2 (recognized by AVP)

Sytemtray Value c:\windows\systray.exe *Can be renamed.
-> Not as easy to remove because it checks if Key in registry exists, if not it adds
it again, so simply removing the Key won't work. --> 3 possibilities

1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe
(The original systemtray.exe is in C:\windows\system\systray.exe)

2)Use programms able to KILL programs in memory like CCTASK (Url Below)
And then simply delete the systray.exe in c:\windows

3)Goto and download the DT2 Remover

* Netbus Pro 2 + Beta + Netrex (recognized by AVP exept Netrex)

->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote 
Control Program. Neitherway there are versions out which run invisible to the User
The standard key is as always. There are 2 Versions out (that I know) 
1) Original NetbusPro 2 + Beta
NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.

To identify if it's surely NetbusPro which is running 
->HKEY_CURRENT_USER\NetBus Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3* 
*These are all standart keys and may vary

->HKEY_CURRENT_USER\NetBus Server\Protection
->Password Value = A *

*Password is Crypted and A stands for NO password

Nbsvr.exe has exactly 612.966 Bytes

2) The Version called Netrex
->Someone Disassembled the file and recompiled it

To identify if it's surely NetRex which is running 

->HKEY_CURRENT_USER\NetRex Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*

*These are all standart keys and may vary

->HKEY_CURRENT_USER\NetRex Server\Protection
->Password Value = A *

*Password is Crypted and A stands for NO password

Nrsvr.exe has exactly 326.144 Bytes 

*HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called
Log.txt in the same directory as the server is installed usually C:\windows 
But as always there may be versions which DO NOT write the log.

* Wincrash (old version)

->Seams not to restart, thus should be rare

*Original Server Exe size is exactly 182.227 Bytes
*Suplement to the server exe but not needed are:
Win32cfg.exe exactly 4.128 Bytes
cfg95.exe has exactly 79.242 Bytes

* Millenium (recognized by AVP)

->That's a little bastard.
When installing a little message box pops up saying <The System is being updated>.
It copies itself in the c:\windows\system directory with the name reg666.exe
AND to C:\WINDOWS\SYSTEM\regersys.ocx.
The keys Are:
Millenium Value=reg666.exe
*AND in win.ini adds run=C:\windows\system\reg666.exe

Removing is a little bit difficult because this trojan has some neat self-check
routine, if you remove the Key in the registry it adds it again, if you remove 
the win.ini key it adds the key again, this tricky thing has also a backup
in regersys.ocx which it renames again to reg666.exe.
You see it's quite difficult if you don't know dos. -> 2 possibilities

1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe
AND regersys.ocx (The names are always the same)
2)Use programms able to KILL programs in memory like CCTASK (Url Below)
And then simply delete thereg666.exe from c:\windows\system don't forget to
to delete the c:\windows\system\regersys.ocx

* The exact size of reg666.exe is 48.128 Bytes ->No spelling mistake

*Gate Crasher

->This one is different from 2 point of view's 
1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC
YES this ones can infect using a Word Macro.
The Word Macro Contains the Words >>This file once opened checks to see.
if you have the latest version of winsck.ocx and you have so no updates 
are available<< ->Nice Spelling

2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)
If it's active it opens it's ports. So it isn't detecable up-on start
Actually it's fake Port watcher.

Explorer Value=EXPLORE.exe

*Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat
Port.dat size is exactly 94.208 Bytes
Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)
Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)
->Shows the name FullBrock (author's name ?)

*Socket de Troie (recognized by AVP) 

-> In One Word "USE AVP"

*Net Monitor (old version) 

->Rare Chinese Trojan (The readme is a must see :)
Trojan doesn't restart. Only runs once

Spy Server exe has exaclty 30.720 Bytes 

* Devil 1.x

->French Trojan
Trojan doesn't restart. Only runs if program is excecuted

Comes with a lot of fake apps but none of them runs the original

Icqflood.exe has exaclty 24.576 Bytes
Opscript.exe has exactly 61.952 Bytes
Socket.exe has exactly 355.840 Bytes
winamp34.exe has exactly 690.688 Bytes
Wingenocide.exe has exactly 67.584 Bytes
Winrar.exe has exactly 687.616 Bytes

* GirlFriend (recognized by AVP)

->Russian Trojan
Windll Value c:\windows\windll.exe *Could be renamed.

1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the windll.exe in c:\windows

*Hint* This Trojan is specialist in stealing Passes. Victim should
rename ALL passwords.

windll.exe has exactly 309.248 Bytes
windll.exe has exactly 189.196 Bytes (there are 2)

* Netbus 1.6 + 1.7 (recognized by AVP)

->The Trojan for the Kiddies
Patch Value c:\windows\patch.exe *Could be renamed.

1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the patch.exe in c:\windows

*Hint*Netbus 1.7 saves the IP of attacker in c:\windows\access.txt !
but only if he has restricted access to server with this IP.
->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini
Consists of the following : [Settings]
Port1=12345 *Obvious
ServerPwd=asl *Uncrypted 
LogTraffic=1 *Attacker e-mail *yours
MailHost= *Smpt-Server

*Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real 
E-mail adress because I entered just the opposite)

The Patch.exe of netbus 1.6 has exactly 472.576 Bytes
The Patch.exe of netbus 1.7 has exactly 314.636 Bytes
The Whakamol.exe Fake game has exactly 314.636 Bytes

* Rare Version of NBP2 

-> see netbus Pro 2

* Attack Ftp

->French Trojan (and therefore needs a few french Dll's)
What it Does ?
- Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe
- Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll
- Copies Install.exe in the System directory and renames the file in Wscan.exe 
- Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.
- Writes to registry to launch Wscan.exe at next reboot
- Searches CD-rom drives
- Creates Serv-u.ini in the System directory 
- Scans HD for TREE.DAT (password of Cute-FTP)
- Copies result to c:\windows\Result.dll
- Launches Drwatsom.exe
- Fakes a Error-Message

Quoted from the authors Readme :

- Kill Drwatsom (Ctrl-Alt-Del)
- Execute the command : "Wscan.exe Louis_Cypher"
- Delete the Key
"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run" Value wscan.exe
- Delete Wscan.exe from c:\windows\system

Size of the setup.exe is exactly 230.912 Bytes

* Streaming Audio Trojan

-> Sets Up a streaming Audio Server
Needs a lot of dll's and needs a registration before functionating achieved by
a Reg file which Registrates the serials. I think it's impossible 
to setup it up with no physical access to the victim computer. (therefore rare) 
* Hackcity Ripper Trojan

-> Only Ripps Passwords
Removes itself on next reboot.

*Hint* The Victim should change his Dial-Up Password immediatly.

* FTP 

-> Detects Ftp 
Nothing anormal if a person has a ftp, but some trojans are able to open an Ftp.
If you don't want the script to scan this Deactivate it.

*Note* If You selected >>Enable ALL<< ARE 


-> Detects poeple trying to spoof. In fact there is nothing wrong if they want to 
be anonym.
Scan is very inaccurate. Therefore deactivated on Default , but can be enabled.

*Telecommando (recognized by AVP)

-> Basic Trojan
Key is:
Systemapp Value ODBC.exe

1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the odbc.exe in c:\windows\system

*Icq Trojen (recognized by AVP)

-> Dos Based Trojan (not very usefull)
Quoted from the readme 
>>Icqtrogen.exe is made to be placed in your icq folder and move the real icq 
to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it<< 

Removing is quite easy.
-> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE

*Original Server EXE is exactly 39.424 Bytes. 

->**Modified Version**
Doesn't need original ICQ.
Restarts not automatically.

*Modified Server Exe is exactly 27.779 Bytes
*Installer attached WITH BO is 188.438 Bytes

*Prority BETA

->New release, trojan needs Runtime-files (VB), 
while pressing CTRL-ALT-DELETE the name pserver shows up.
The Key is:
pserver Value pserver.exe (everytime)

*Original Server Exe is excactly 98.304 Bytes

*Deep BO 

->Wide spread version of BO. Runs on specific port
removing see BO.


->NO information avaible at this time. I need some info. (Mail me)


->Needs all the lame Visual Basic Dll's 
*Original Server Exe is excactly 36.864 Bytes.

The Key in the registry are :

*Shadow Phyre 
Copies to
c:\windows\system\inet.exe 200K 
c:\windows\system\WinZipp.exe 200K 

The Keys in the registry are : 

"WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg" 

"INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /nomsg" 
*Tiny Telnet Server 
Copies to :
c:\windows\windll.exe 127488 Bytes

The Key in the registry is : 

Copies to : 

The Keys in the registry are : 


Copies to : 
C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"
Copies to :
C:\WINDOWS\system\nssx.exe 36864 Bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe"
*Satans Back Door

Copies to :
C:\windows\sysprot.exe 77 824bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "sysprot "protection"="C:\\windows\\sysprot.exe"

Copies to :
C:\windows\sysprot.exe29 184bytes

Copies to :
C:\windows\MsWin32.drv 92 697bytes

Copies to :
C:\windows\DAT92003.exe 32 768bytes or 
C:\windows\DAT92003.exe 69 632bytes 

Copies to :
C:\windows\Expl32.exe 241 397bytes
*The Unexplained

Copies to :
C:\windows\INETB00ST.EXE 28.000bytes


Copies to :
"systemdoor"="c:\\windows\\system\\Rundll argp1"

*Progenic Trojan Beta Series

Copies to : 

* Hack'a'ttack1.12 

Copies to :
* Bla1.1 

Copies to :

* VL RAT. 5.3.0

Copies to :
"Default"=" " 
"Explorer"=" "
'Note This runs " .exe" just like BO.

* BackConstruction 1.2

Copies to :

* Kuang (Psender)

- Kuang2Full:
* Frenzy 1.01

"Explore"="C:\\Program files\\msgsrv36.exe"
* Kuang2 The Virus

Since Kuang2 The Virus acts like a Virus attaching himself to every PE EXE on the HD. NO usual Removal Method. I suppose you download Kuang2 The Virus with built-in disinfector! Now!
* Xtcp PORT 5550

Copies to : c:\windows\winmsg32.exe


Uses port 5550.
* Netsphere Final (131337)

Copies to : c:\windows\system\epp32.exe

Uses port 30133
* Schwindler 1.82

Copies to : c:\windows\user.exe NOT c:\windows\system\user.exe


Uses port 21554
* SubSeven 1.9

Copies to :  c:\windows\system\mtmtask.dl
-  Default:
        Shell=explorer.exe mtmtask.dl
Uses port 1243
* BackConstruction 2.1

Copies to :  c:\windows\Cmctl32.exe

Uses port 1234
* Vampire

Copies to : c:\windows\system\Sockets.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Sockets"="c:\windows\system\Sockets.exe"
Uses port 6669
* Trojan Spirit 2001 a

Copies to: c:\WINDOWS\netip.exe 
Win.ini : [windows]run= c:\windows\netip.exe

Uses port 30911

* Maverick's Matrix 

Copies to: C:\WINDOWS\Wincfg.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wincfg.exe"="C:\WINDOWS\Wincfg.exe" 
Uses port 1269
* Total Eclypse 

Copies to: C:\Windows\System\Rmaapp.exe 'Note NOT Rnaapp.exe 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rnaapp"="C:\\Windows\\System\\Rmaapp.exe" 
Uses port 3791 (for FTP)
* Kuang2 logger AS

Copies to: C:\WINDOWS\SYSTEM\K2logas.exe 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2logas.task"="C:\\WINDOWS\\SYSTEM\\K2logas.exe" 

* Vampire 1.2 

Copies to: c:\windows\system\Winboot.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsBootFile"="c:\\windows\\system\\Winboot.exe" 
* BoBo 1.0 

Copies to: C:\WINDOWS\SYSTEM\Dllclient.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DirectLibrarySupport"="C:\\WINDOWS\\SYSTEM\\Dllclient.exe" 

* Deep Throat 3.1

Copies to: c:\windows\systray.exe 'NOT c:\windows\system\systray .exe 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Systemtray"="c:\\windows\\systray.exe" 

* Trojan Spirit 1.2

Copies to: c:\WINDOWS\FileName.exe 
* Eclipse 2000 

Copies to: C:\\WINDOWS\\SYSTEM\\Filename.EXE 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE" 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE" 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"

Keynames seem to be selected randomly. 

* Incommand

Copies to: Path_Where_Run\Filename.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe"


* BrainSpy




'Note Keynames are rondomized. 

* IRC3

Win.ini :
load = closew 

Closew.bat contains the foloowing commands:

Rundlls.exe is ServU.exe and the /h option runs it hidden. 

* PC Xplorer 



* Online Keylogger 

Copies to the drive set as Temp. 



1.5 Usefull Url's

*AVP definetly the BEST allround scanner is avaible at 
*Atguard Firewall to prevent inbound connection to servers and other security related issues.
*Trojan Defence Suite. Complete Anti-Trojan Suite.

1.6 Last words

*It IS impossible to catch all trojans. New trojans grow like funghis new variants appear weekly if not on a daily bases.There are so many ports left :)
*Trust No one, even a good friend can cheat on you
*This goes out to all L/\|\/|me d00des who think that using a trojan on a person 
automaticaly makes them Elite (31337) and/or are deleting or destroying other's
people's data:

       	   F	U	 C	       K 			Y	 O	 U

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH