Slim Horse

Released 22 years, 10 months ago. January 2002

Copyright © MegaSecurity

By Ventaja


Slim Horse
Informations
Author Ventaja
Family Slim Horse
Category Remote Access
Version Slim Horse
Released Date Jan 2002, 22 years, 10 months ago.
Language Visual Basic
Additional Information
Server:
size: 149.504 bytes

dropped files:
c:\WINDOWS\speed.exe 
c:\WINDOWS\temp.exe 
c:\WINDOWS\RUNDLL32.EXE 

startup:
none

Author Information / Description
Slim Horse is a R.A.T. (remote administration tool) that mainly works under the ICMP procotol, 
this version is a NON-INTERFACE one, but it have a lot of strenght options.
The DCC GET/SEND works under the TCP protocol.
All the functions parameters are parsed with "*", must start with "*" and at least have two "*".

Files : 
1)Client.exe (141KB) : used to administrate a remote host infected.
2)Server.exe (145KB): the names says it all.
3)ServerSetup.exe (19KB) : configurate de automatic notification and bind a file to the server.

Function PING
Description : used to know is a host is infected and still alive.
Parameters : *PING*
Response : *PONG

Function INFO
Description : returns info about the os version, windows directories, computer name, processor and more.
Parameters : *INFO*
Response : OS: Windows 9x/Me ......

Function PASS
Description : used to identify to the host.
Parameters : *PASS*Password
Response : Password accepted, you are inside or none

Function NEWPASS
Description : used to set the password.
Parameters : *NEWPASS*Password
Response : none

Function OPENCD
Description : ejects cd.
Parameters : *OPENCD*
Response : None

Function CLOSECD
Description : close cd.
Parameters : *CLOSECD*
Response : None

Function URL
Description : open the specified url. ALWAYS USE HTTP://
Parameters : *URL*http://www.mysite.com
Response : None

Function SHELL
Description : execute with the associated program the specified file.
Parameters : *SHELL*c:\music\aerosmith - mama kin.mp3
Response : None

Function RUN
Description : execute the specified executable.
Parameters : *RUN*c:\windows\notepad.exe
Response : None

Function SHOWPIC
Description : shows the specified image file on top most.
Parameters : *SHOWPIC*c:\images\martina hings4.jpg
Response : None

Function HIDEPIC
Description : hide the previous shown image.
Parameters : *HIDEPIC*
Response : None

Function SHUTDOWN
Description : shutdowns the computer.
Parameters : *SHUTDOWN*
Response : None

Function REBOOT
Description : reboots the computer.
Parameters : *REBOOT*
Response : None

Function LOGOFF
Description : logs off from the actual windows session.
Parameters : *LOGOFF*
Response : None

Function EMENU
Description : enumerates the main menus of a window.
Parameters : *EMENU*HWND*
Response :
Menus of 220
224   &File
228   &Tools
232   &DCC
304   [ &Menu Legman's Script ]
236   &Window
244   &Help
0 
__________________________________________________

Function ESUB
Description : enumerates the submenus of a menu.
Parameters : *ESUB*hMenu*
Response : 
SubMenus of &Send...	Alt+S
0 &Send...	Alt+S
0 &Chat...	Alt+C
0 
0 &Options...
0 
__________________________________________________

Function SMENU
Description : sets the text of a submenu.
Parameters : *SMENU*MENU*ITEM*TEXT*
Response : none

Function EWIN
Description : enumerates the windows of the remote host, works like TaskManager unless you specify a second parameter.
Parameters : *EWIN*
Response : 
"Windows Enumeration Started"
Hwnd (Window Title)
Hwnd (Window Title)
etc
"Windows Enumeration Finished"

Function ECHILD
Description : enumerates the child windows of the parent window specified.
Parameters : *ECHILD*PARENT (0 for desktop)*
Response : 
"Child Enumeration Started"
Hwnd (Window Title)
Hwnd (Window Title)
etc
"Child Enumeration Finished"

Function ACTIVE
Description : activates the specified windows by hwnd.
Parameters : *ACTIVE*Hwnd*
Response : none

Function HIDE 
Description : makes invisible the specified windows by hwnd.
Parameters : *HIDE*Hwnd*

Function SHOW
Description : makes visible the specified windows by hwnd.
Parameters : *SHOW*Hwnd*

Function CLOSE
Description :  closes the specified windows by hwnd.
Parameters : *CLOSE*Hwnd
Response : none

Function STATE
Description : returns Left, Top, Height, Width and show state of the window handle. 
Parameters : *STATE*Hwnd*
Response : 
Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away
Left -4 Top -4 Width 808 Height 580 Visible=True Maximized
Window State Start 408 mIRC32 & Legman's � � Idle: 1539 � � Ciudad-AR � � [16:30] � � Tony_Iommi_Away

Function WINDOW
Description : returns info about the window of a handle. Use index to Listbox, Combobox and other special control items.
Parameters : *WINDOW*Hwnd*Index
Response : Hwnd Class Text

Function PARENT
Description : returns info about the parent window of a handle.
Parameters : *PARENT*Hwnd
Response : Hwnd Class Text

Function SETTEXT
Description : changes the text of a caption or control. 
Parameters : *SETTEXT*HWND*TEXT

Function ADDITEM
Description : add a item to a Listbox or a Combobox.
Parameters : *ADDITEM*Hwnd*Text
Response : none

Function DELITEM
Description : delete a item to a Listbox or a Combobox.
Parameters : *DELITEM*Hwnd*Item_Number
Response : none

Function SCROLL
Description : makes a scrollbar to scroll the percent scpecified.
Parameters : *SCROLL*HWND*PERCENT

Function ECLASS
Description : finds the specified class in all the child windows of a Hwnd, 0 for Desktop.
Parameters : *ECLASS*CLASSNAME*START_HWND
Response : all classes that match.

Function FCLASS
Description : finds the specified class in all the top level windows.
Parameters : *FCLASS*CLASSNAME
Response : all classes that match.

Function CLICK
Description : clicks the specified button.
Parameters : *CLICK*HWND
Response : none

Function DESKTOP
Description : shows desktop.
Parameters : *DESKTOP*
Response : none

Function EPROC
Description : returns all the process running on the server side with the filename that opens it and with the main window if its visible.
Parameters : *EPROC*
Response : returns all the process running on the server side with the filename that opens it and with the main window if its visible.

Function CPROC
Description : terminate the specified process.
Parameters : *CPROC*ProcessID*
Response : terminated/failed.

Function ETHR
Description : shows all the threads of a process.
Parameters : *ETHR*ProcessID*
Response : the threads.

Function REG
Description : registers a process as a service (dont show anymore when alt+ctrl+del is pressed).
Parameters : *REG*ProcessID*
Response : done

Function UNREG
Description : unregisters a process as a service (shows again when alt+ctrl+del is pressed).
Parameters : *UNREG*ProcessID*
Response : done

Function DRIVES
Description :  enumerate all the logical drives of the remote host.
Parameters : *DRIVES*
Response : Avaible Drives : A C D E F G

Function DRIVEINFO
Description : returns disk type, label and free space.
Parameters : *DRIVEINFO*E:\
Response : CD-Rom

Function DIR
Description : returns the directory files and subdirectories.
Parameters : *DIR**.EXE (yeah, a little weird) or *DIR* 
Response :
FILE
Total files
Total size
Total dirs

Function CD
Description : change the actual directory.
Parameters : 
*CD* ..*
*CD*NEWDIR*
*CD* \*
Respone : actual path.

Function DRIVE
Description : change the actual drive.
Parameters : 
*DRIVE*C*
*DRIVE*A*
Response : actual path.

Function LP
Description : returns the actual path.
Parameters : *LP*
Response : C:\DEAD\TIME\

Function SP
Description : sets the actual path.
Parameters : *SP*C:\ROCK\TIME
Response : none

Function PATH
Description : returns the path of the server.
Parameters : *PATH*
Response : C:\im\stupid\server.exe

Function TYPE
Description : returns the text of a file
Parameters : *TYPE*C:\passwords.txt
Response : 
"File Start"
file contents.
"File End"

Function GET
Description : used to download a file.
Parameters : 
*GET*PATH & FILENAME
*GET*FILENAME (ACTUAL PATH IS USED)
Response : the file. Resume is supported, is the transfers close early you can put the get
function again and it will ask if you wanna resume, overwrite or rename. FEATURE IS ONLY USED ON CLIENT SIDE.

Function PUT
Description : used to upload a file.
Parameters : 
*PUT*PATH & FILENAME*REMOTE_PATH
*PUT*PATH & FILENAME (ACTUAL PATH IS USED)
Response : the file.

Function SETPOS
Description : moves the mouse the position that you want.
Parameters : *SETPOS*X*Y
Response : none.

Function SENDKEYS
Description : send the keys that you want to the active window.
Parameters : *SENDKEYS*HWND*TEXT
Response : none

Function DUMP
Description : returns a get file from the a screenshot.
Parameters : *DUMP*0-2*0-2* 
The first parameter is the size, 0=100%, 1=75%, 2=50%.
The second parameter is the color, 0=16 colors,1=greyscale of 256 colors,3=True color
Response : dump.bmp

Function IGMP
Description : sends igmp packets.
Parameters : *IGMP*IP*TIMES*SIZE*
Response : packets send.

Function BOMB
Description : sends icmp ping packets.
Parameters : *BOMB*IP*TIMES*SIZE*
Response : packets send.

Function TYPE13
Description : sends icmp timestamp packets.
Parameters : *TYPE13*IP*TIMES*SIZE*
Response : packets send.

Ventaja

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.