Masters of paradise 1.2

Discussion in 'NOD32 Early v2 Beta' started by controler, May 22, 2003.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    I am having wierd trouble detecting viri now.
    seems like NOD is not detecting viri in my winzip files.
    Today it detects Girlfriend in a normal folder but not zipped.
    today I also tried it on a copy of Masters of Paridise 1.2 Zipped
    it isn't detecting it zipped or unzipped.
    I am wondering why? even if my system is wierd, I hope others don't have this same problem. I am sure they don't do as much testing of
    too many kinds of software at the same time :)
    NOD is detecting a copy of Windows Mite 1.0 as I unzip it but not zipped. I will try a few more and see what happens. I will even try unzipping Girlfriend again and see if I get the splash warning screen.
     
  2. controler

    controler Guest

    Ater looking at the three files names I am guessing they renamed it but it still has a double file extension. new name = icqcrk.pas.pgp
    below is more reading info :D

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    MASTERS PARADISE TROJAN v.1.2
    (WIN 95/9:cool:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    (c) Overlord 7/18/1998


    OVERVIEW: This is an add on for Masters Paradise (MP). MP lets you control someone elses computer when they're on line: see whats on their screen, download their files, get their passwords all secretly. But therez a catch....

    You gotta know their IP (easy enuf, thru ICQ, IRC, recent emails, etc.). You also gotta have them running a TSR ('the agent') on their computer (more difficult).

    This is where Masters Paradise Trojan comes in. This is what it does:

    WHAT THE TROJAN DOES: Helps you get the agent to their computa, while lookin real innocent.

    WHAT THEY SEE: You just send them the icqcrk.zip (the trojan) file, saying its a cool ICQ utility. They run it - but it just comes up with a heap of errors and drops out. Dang! Isn't it always the way with good games.

    WHAT REALLY HAPPENZ: Unknowingly to them, there were no real error - just looked like that. The trojan has copied the agent over to their /windows/system directory. Executed itself, so it is running. Set its attributes so it can't be found. Set up stealth protections so it can't be deleted. And last and most importantly, modified win.ini so that it loads whenever they turn on their computa any time in the future. Now, whenever they are on the net, they are YOURS!

    STEALTHINESS: The trojan will not show up anywhere as loading, not in the in box, not the startup menu, not anywhere! The only way you can see if it is running is if you go CNTRL-ALT-DEL, you will see two copies of 'Explorer' running. One of these is the backdoor to their computer. The only other way they could find it is by checking through their win.ini file, and seeing 'explorer' getting auto loaded. But that looks innocent enuff, i beto_O?


    KNOWN PROBLEMS:

    1/ If you got the trojan on your computa, it is very hard to get it out. You would have to edit win.ini and remove any refs to explorer.exe, then reboot and then delete explorer from windows/system.

    2/ This will only work if they have set up Windows in the default directory (/Windows).

    3/ Will not work in Win 3.1, etc. Only Win 95 and greater.

    4/ I notice sometimez the trojan works real slow (about 10 seconds to do its job). But still probably believable enough.


    VERSIONS
    v.1.2 Now pretends to be an ICQ utility. Works even from floppy drive now, and wipes itself out after installing.

    v.1.1.1
    -Now installs to c:\windows\system rather than \windows in drive where go.exe is located.


    v.1.1
    - More Stealthy. Does not just send the agent to startup menu, but modifies win.ini to load itself real invisibly.

    - No longer pretends to be a Tic Tac Toe program. Now, you can send it to someone saying it is anything (you can change the name from gamer.exe to hackutil.exe if you want). Just comes up with a fake error anyway.

    - Have changed the Pascal compiler so Thunderbyte doesn't give warnings any more.


    Removed e-mail address to spare him some spam.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.