Slim Horse
Released 22 years, 8 months ago. January 2002
Copyright © MegaSecurity
By Ventaja
Informations
| Author | Ventaja |
| Family | Slim Horse |
| Category | Remote Access |
| Version | Slim Horse |
| Released Date | Jan 2002, 22 years, 8 months ago. |
| Language | Visual Basic |
Additional Information
Server:
size: 149.504 bytes
dropped files:
c:\WINDOWS\speed.exe
c:\WINDOWS\temp.exe
c:\WINDOWS\RUNDLL32.EXE
startup:
none
Author Information / Description
Slim Horse is a R.A.T. (remote administration tool) that mainly works under the ICMP procotol,
this version is a NON-INTERFACE one, but it have a lot of strenght options.
The DCC GET/SEND works under the TCP protocol.
All the functions parameters are parsed with "*", must start with "*" and at least have two "*".
Files :
1)Client.exe (141KB) : used to administrate a remote host infected.
2)Server.exe (145KB): the names says it all.
3)ServerSetup.exe (19KB) : configurate de automatic notification and bind a file to the server.
Function PING
Description : used to know is a host is infected and still alive.
Parameters : *PING*
Response : *PONG
Function INFO
Description : returns info about the os version, windows directories, computer name, processor and more.
Parameters : *INFO*
Response : OS: Windows 9x/Me ......
Function PASS
Description : used to identify to the host.
Parameters : *PASS*Password
Response : Password accepted, you are inside or none
Function NEWPASS
Description : used to set the password.
Parameters : *NEWPASS*Password
Response : none
Function OPENCD
Description : ejects cd.
Parameters : *OPENCD*
Response : None
Function CLOSECD
Description : close cd.
Parameters : *CLOSECD*
Response : None
Function URL
Description : open the specified url. ALWAYS USE HTTP://
Parameters : *URL*http://www.mysite.com
Response : None
Function SHELL
Description : execute with the associated program the specified file.
Parameters : *SHELL*c:\music\aerosmith - mama kin.mp3
Response : None
Function RUN
Description : execute the specified executable.
Parameters : *RUN*c:\windows\notepad.exe
Response : None
Function SHOWPIC
Description : shows the specified image file on top most.
Parameters : *SHOWPIC*c:\images\martina hings4.jpg
Response : None
Function HIDEPIC
Description : hide the previous shown image.
Parameters : *HIDEPIC*
Response : None
Function SHUTDOWN
Description : shutdowns the computer.
Parameters : *SHUTDOWN*
Response : None
Function REBOOT
Description : reboots the computer.
Parameters : *REBOOT*
Response : None
Function LOGOFF
Description : logs off from the actual windows session.
Parameters : *LOGOFF*
Response : None
Function EMENU
Description : enumerates the main menus of a window.
Parameters : *EMENU*HWND*
Response :
Menus of 220
224 &File
228 &Tools
232 &DCC
304 [ &Menu Legman's Script ]
236 &Window
244 &Help
0
__________________________________________________
Function ESUB
Description : enumerates the submenus of a menu.
Parameters : *ESUB*hMenu*
Response :
SubMenus of &Send... Alt+S
0 &Send... Alt+S
0 &Chat... Alt+C
0
0 &Options...
0
__________________________________________________
Function SMENU
Description : sets the text of a submenu.
Parameters : *SMENU*MENU*ITEM*TEXT*
Response : none
Function EWIN
Description : enumerates the windows of the remote host, works like TaskManager unless you specify a second parameter.
Parameters : *EWIN*
Response :
"Windows Enumeration Started"
Hwnd (Window Title)
Hwnd (Window Title)
etc
"Windows Enumeration Finished"
Function ECHILD
Description : enumerates the child windows of the parent window specified.
Parameters : *ECHILD*PARENT (0 for desktop)*
Response :
"Child Enumeration Started"
Hwnd (Window Title)
Hwnd (Window Title)
etc
"Child Enumeration Finished"
Function ACTIVE
Description : activates the specified windows by hwnd.
Parameters : *ACTIVE*Hwnd*
Response : none
Function HIDE
Description : makes invisible the specified windows by hwnd.
Parameters : *HIDE*Hwnd*
Function SHOW
Description : makes visible the specified windows by hwnd.
Parameters : *SHOW*Hwnd*
Function CLOSE
Description : closes the specified windows by hwnd.
Parameters : *CLOSE*Hwnd
Response : none
Function STATE
Description : returns Left, Top, Height, Width and show state of the window handle.
Parameters : *STATE*Hwnd*
Response :
Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away
Left -4 Top -4 Width 808 Height 580 Visible=True Maximized
Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away
Function WINDOW
Description : returns info about the window of a handle. Use index to Listbox, Combobox and other special control items.
Parameters : *WINDOW*Hwnd*Index
Response : Hwnd Class Text
Function PARENT
Description : returns info about the parent window of a handle.
Parameters : *PARENT*Hwnd
Response : Hwnd Class Text
Function SETTEXT
Description : changes the text of a caption or control.
Parameters : *SETTEXT*HWND*TEXT
Function ADDITEM
Description : add a item to a Listbox or a Combobox.
Parameters : *ADDITEM*Hwnd*Text
Response : none
Function DELITEM
Description : delete a item to a Listbox or a Combobox.
Parameters : *DELITEM*Hwnd*Item_Number
Response : none
Function SCROLL
Description : makes a scrollbar to scroll the percent scpecified.
Parameters : *SCROLL*HWND*PERCENT
Function ECLASS
Description : finds the specified class in all the child windows of a Hwnd, 0 for Desktop.
Parameters : *ECLASS*CLASSNAME*START_HWND
Response : all classes that match.
Function FCLASS
Description : finds the specified class in all the top level windows.
Parameters : *FCLASS*CLASSNAME
Response : all classes that match.
Function CLICK
Description : clicks the specified button.
Parameters : *CLICK*HWND
Response : none
Function DESKTOP
Description : shows desktop.
Parameters : *DESKTOP*
Response : none
Function EPROC
Description : returns all the process running on the server side with the filename that opens it and with the main window if its visible.
Parameters : *EPROC*
Response : returns all the process running on the server side with the filename that opens it and with the main window if its visible.
Function CPROC
Description : terminate the specified process.
Parameters : *CPROC*ProcessID*
Response : terminated/failed.
Function ETHR
Description : shows all the threads of a process.
Parameters : *ETHR*ProcessID*
Response : the threads.
Function REG
Description : registers a process as a service (dont show anymore when alt+ctrl+del is pressed).
Parameters : *REG*ProcessID*
Response : done
Function UNREG
Description : unregisters a process as a service (shows again when alt+ctrl+del is pressed).
Parameters : *UNREG*ProcessID*
Response : done
Function DRIVES
Description : enumerate all the logical drives of the remote host.
Parameters : *DRIVES*
Response : Avaible Drives : A C D E F G
Function DRIVEINFO
Description : returns disk type, label and free space.
Parameters : *DRIVEINFO*E:\
Response : CD-Rom
Function DIR
Description : returns the directory files and subdirectories.
Parameters : *DIR**.EXE (yeah, a little weird) or *DIR*
Response :
FILE
Total files
Total size
Total dirs
Function CD
Description : change the actual directory.
Parameters :
*CD* ..*
*CD*NEWDIR*
*CD* \*
Respone : actual path.
Function DRIVE
Description : change the actual drive.
Parameters :
*DRIVE*C*
*DRIVE*A*
Response : actual path.
Function LP
Description : returns the actual path.
Parameters : *LP*
Response : C:\DEAD\TIME\
Function SP
Description : sets the actual path.
Parameters : *SP*C:\ROCK\TIME
Response : none
Function PATH
Description : returns the path of the server.
Parameters : *PATH*
Response : C:\im\stupid\server.exe
Function TYPE
Description : returns the text of a file
Parameters : *TYPE*C:\passwords.txt
Response :
"File Start"
file contents.
"File End"
Function GET
Description : used to download a file.
Parameters :
*GET*PATH & FILENAME
*GET*FILENAME (ACTUAL PATH IS USED)
Response : the file. Resume is supported, is the transfers close early you can put the get
function again and it will ask if you wanna resume, overwrite or rename. FEATURE IS ONLY USED ON CLIENT SIDE.
Function PUT
Description : used to upload a file.
Parameters :
*PUT*PATH & FILENAME*REMOTE_PATH
*PUT*PATH & FILENAME (ACTUAL PATH IS USED)
Response : the file.
Function SETPOS
Description : moves the mouse the position that you want.
Parameters : *SETPOS*X*Y
Response : none.
Function SENDKEYS
Description : send the keys that you want to the active window.
Parameters : *SENDKEYS*HWND*TEXT
Response : none
Function DUMP
Description : returns a get file from the a screenshot.
Parameters : *DUMP*0-2*0-2*
The first parameter is the size, 0=100%, 1=75%, 2=50%.
The second parameter is the color, 0=16 colors,1=greyscale of 256 colors,3=True color
Response : dump.bmp
Function IGMP
Description : sends igmp packets.
Parameters : *IGMP*IP*TIMES*SIZE*
Response : packets send.
Function BOMB
Description : sends icmp ping packets.
Parameters : *BOMB*IP*TIMES*SIZE*
Response : packets send.
Function TYPE13
Description : sends icmp timestamp packets.
Parameters : *TYPE13*IP*TIMES*SIZE*
Response : packets send.
VentajaIf you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.