I Feel Lucky I Feel Very Lucky

ForBot 2.4.2

Copyright © MegaSecurity

By ?

Informations
Author ?
Family ForBot
Category Remote Access
Version ForBot 2.4.2
Additional Information 
dropped file:
c:\WINDOWS\system32\svxhost.exe
Size: 376.832 bytes 

port: 15802 TCP

startup:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "SVX Control Service"
data: svxhost.exe 

tested on Windows XP
November 29, 2004

Author Information / Description 
ForBot 2.4.2 [private(internal)]
AfroNerd & ghosn
based on AgoBot 2.3
------------------

Changes (06/08/04):
 ghosn - improved packet sniffing shows LESS spam and gives more useful information
 ghosn - logic command fixed now back to 'logic.if'
 ghosn - show total sends after every complete ftp transfer
 ghosn - all redirect commands now working
 ghosn - fixed -o, -s, -n (were not working before)
 ghosn - FOR DEBUG: added better connection debug messages
 ghosn - lsass removed variable that was reseting random dport value

Changes (06/05/04):
 ghosn - ftp shows total bytes sent
 ghosn - ftp/advscan messages changed
 ghosn - !ftp.stats command shows total sends and current port
 ghosn - !ftp.stats [x] only display if total sends are greater/equal to 'x'
 ghosn - fixed bad-encrypted commands
 afronerd - fixed multiple topic again only uses 1 bar (|) for dividing now

Changes (06/04/04):
 ghosn - advscan clean up
 ghosn - FTP displays messages to scan channel
 ghosn - only display stats over x amount (!adv.stats [stats-over])
 ghosn - cleaned up optix scanner (little faster & cleaner)
 afronerd - setcvar, setcvard (shortcuts to registering cvars with and without descriptions)
 ghosn - open cmd works properly
 afronerd - multiple topic commands work properly
 ghosn & afronerd - file search (!file (directory) (to-look-for))

Changes (06/03/04):
 ghosn - optix scanner + masterpass
 afronerd & ghosn - WORKING(so gooood) lsass with CSendFileFTP
 afronerd - multiple topic command using ||
 afronerd - AddEx function to display and add stats

Changes (06/02/04):
 afronerd -	cleaned up shit
 afronerd - 0 warnings ;x
 ghosn    - dcc send

Changes (05/22/04):
 ghosn    - packet sniffer
 afronerd - ssl compatability
 ghosn    - config
 afronerd - logic
 afronerd - cdkey logic
 ghosn    - yahoo/aim
 afronerd - scanner: rBot 3.3 Base Implimented for advscan && dcom
 ghosn    - netstat (!netstat)
 afronerd - netstat wildcard (!netstat [port] [state])
 
------------------

Features:
 - Encrypted command/config skeleton (hidden strings)
 - Limited Packeting Sniffing
 - SSL Compatability
 - Logic
 - Game CDKey Grabber
 - Yahoo/AIM ScreenName Grabber
 - MSN Contacts / Address Book Grabber
 
 - Online:
   - World-Wide speed test
   - net info
   - irc raw commands
 - Computer:
   - shutdown
   - reboot
   - logoff
   - command exec
   - run file
   - system info
   - registry reading
   - enhanced secure
   - process list
   - process kill (name/pid)
   - add/remove/list services
   - add/remove registry run locations
 - Scanning:
   - ADVScan
   - dcom
 - dDos:
   - forsyn
   - synflood
   - udpflood
   - httpflood
   - pingflood
 - Serving:
   - HTTPd Web Based File Browser
 - Redirect:
   - Socks4
   - Socks5
   - TCP
   - GRE
   - HTTP

--------------------------

ToDo:
  - check for suspicious bots in services
  - aim buddy list retrevil
  - yahoo password decrypt
  - mirc perform.ini checking
  - desktop snapshot served off web-server
  - logic rewrit
  - remove unsightly string from encryption - maybe rewrite using int forced to char *
  - keylogging (msg all keys pressed to a channel)
  - packet sniff bots seperatly
  - mirc DDE hooking to receive/send variables/commands
  - MD5 Brute Force 
  - shell
  - port scanner
  - http dir. exploits (!http.exploit mywebsite.com/exploits.txt targetsite.com)

 Commands:
() -> required
[] -> optional

bot.cpp
 - b.id
 - b.rndnick
 - b.secure
 - b.sysinfo
 - b.remove (bot nickname)
 - b.flushdns
 - b.open (file)
 - b.quit
 - b.cmd (command)
 - b.exe (file)
 - b.dns (host)
 - b.longuptime [days]
 - b.nick (nickname)

cvar.cpp
 - cvar.list
 - cvar.get (cvar)
 - cvar.set (cvar) (value)

findfile.cpp
 - find (directory) (search-for)

httpd.cpp
 - http.start (port) (directory)
 - http.stop -> not done
 - http.snap -> not done

irc.cpp
 - i.raw (command)
 - i.reconnect
 - i.part (channel)
 - i.mode (mode)
 - i.msg (target) (message)
 - i.notice (target) (message)
 - i.disconnect
 - i.gethost (search)
 - i.netinfo
 - i.join (channel)

logic.cpp
 - logic.if (type) (mode) (value) (command)

mac.cpp
 - set (user) (password)
 - bye

netstat.cpp
 - netstat [port] [state -e / -l]

utility.cpp
 - ftp.dl (ftp web-based address) (local location)
 - ftp.exe (ftp web-based address) (local location)
 - ftp.up (ftp web-based address) (local location)
 - http.dl (full address) (local location)
 - http.exe (full address) (local location)
 - http.up (full address) (local location)
 - pc.shutdown
 - pc.reboot
 - pc.logoff

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.