Girlfriend 1.35 not detected

Discussion in 'NOD32 Early v2 Beta' started by controler, May 18, 2003.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    where should I send these files?

    GirlFriend 1.35 by General Failure


    Girlfriend is a program which allows you to get information on applications
    running on remote PC. That means that if any computer connected to net
    is infected with GirlFriend - you can connect to this PC and "steal" such
    information as:
    - text, that "infected" user enters to any window containing password
    - passwords, which "infected" user enters to password fields.
    You also can:
    - send "system" messages to remote PC;
    - play sounds;
    - show bitmaps (.bmp pictures);
    - run exe files;
    - send "victim" to any URL;
    - change server's port;
    - hide GF Client with BOSSKEY=F12;
    - scan subnet for infected servers;
    - save windows list;
    - work with files and folders using GF filemanager.

    GirlFriend 1.35 pack includes:
    a) GirlFriend Server (windll.exe) - this file is for "victim";
    b) GirlFriend Client (gf.exe);
    c) help text file (gf.txt)


    GirFiend Server sits on infected computer and looks for windows in which
    user enters passwords. Server writes these passwords with other textfields
    in that window to registry and send this list on your demand.


    First you have to infect "victim": if you haven't physical access to
    victim's PC - send him windll.exe. You may rename it and/or attach it to
    any other executable file using silkrope (you may take it on When victim executes this file,
    GirlFriend will write itself to Windows' directory and rename itself to
    windll.exe. It also will write a string "Windll.exe=<windows' dir>\windll.exe"
    to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    in registry. GirlFriend Server will save all it's data in
    Ones victim runs GirlFriend Server - it will run every time when victim
    loads Windows. If you have physical acces to victim's PC - just run
    GirlFriend Server on it!


    To connect to GirlFriend Server run GilrFriend Client (gf.exe) on your PC.
    Then in field "IP:" enter IP address of infected computer.
    In field "Port:" enter port which GirlFreiend Server "sits" on (default=21554).
    Then press "Connect" button.
    When client connects to server in statusbar "Connected to: <address>"
    appears. If there will be message like "Error connecting to <address>" - it
    means that server is not active (may be victim hadn't execute it?). You
    also can scan subnet for infected PC's writing ip like this: "".

    When you are connected you can:
    - press "Show Passes" button. It will show a list of processes (windows)
    containing password fields with passwords and other textfields data in
    this window (e.g. window of remote access with Username, Password,
    Connection name, etc.).
    - press "Send Message" button. There will appear a windows with types of
    system messages which you can show on remote computer.
    - press "Reset Password List" button which deletes the server's password
    list in "victim's" registry.
    - press "File manager" to file manager :)))
    - press "Custom" button to enter custom commands to server. Here the list
    of them (instead of words in parentheses you have to write specified data(
    without parentheses)):
    TEST? - sends "Are you alive?" request to server. Server's
    answer in "Server's answers" list must be
    "Server OK"
    ver - asks for server's version
    KillHER - kills server (clears registry from server, but it
    doesn't delete windll.exe from Windows' directory)
    {U}<URL> - sends "victim" to specified URL (begin with "http://")
    {S}<sounfile> - plays specified "wav" file on "victim's" PC
    {P}<bmpfile> - shows specified "bmp" file on "victim's" PC
    DOWN - switches "looking for passwords" timer on server OFF
    (server won't scan for passwords)
    UP - switches "looking for passwords" timer ON
    setport<port> - sets server port to specified one (identic to
    pressing "change" button)
    Logoff - logs off user from windows
    Shutdown - shuts down windows
    ReBOOT - reboots victim's PC
    PowerOFF - victm's power off
    Name user - displays current user's name
    time - displays time
    or just enter HELP? to help :)

    You can press F12 to tray client and then press on trayicon with right
    button to use these commands from popupmenu.
    Press "About" button to know "more" about this program.
    Press "Save list" to save windows & passwords list to text file.

    If you'll have any questions/suggestions please write me to


    General Failure.

    P.S. Oh! I have forgoten to notice that it also takes passwords from Web
    sites which infected user inputs!
  2. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York

  3. controler

    controler Guest

    will do Tech, thanks

    do you think I will get a full version of NOD32 ? ***wink***
Thread Status:
Not open for further replies.