Theta 1.0
Released 20 years ago. September 2004
Copyright © MegaSecurity
By Ghirai
Informations
| Author | Ghirai |
| Family | Theta |
| Category | Remote Access |
| Version | Theta 1.0 |
| Released Date | Sep 2004, 20 years ago. |
| Language | Assembly |
Additional Information
dropped file:
c:\WINNT\system32\theta_server.exe
size: 9.216 bytes
startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "theta"
data: theta_server.exe
tested on win2000
Author Information / Description
Theta is basically a 6 Kb cmd server. Might seem much for just a cmd server,
but it's so big because of 9* compatibility (I mean injection, read technical details).
What is a cmd server you ask? Well, it's a server, that enables you to have access to another computer's command prompt,
which is often all you need, because from there you can do anything (providing you know basic DOS commands);
you can even download and run a file from the internet.
Theta has numerous advantages over similar applications: it's written 100% in assembly (server and server builder),
resulting in small file size and high speed; it's not bloated by unnecessary features; it uses a injection method that isn't very common,
so that, once installed, the server can not be removed, unlike the standard dll injection techniques you will find in most other RATs.
You can also use it as a backdoor to a backdoor, in case your other RAT gets detected/removed/whatever.
Theta will make sure you always have access to the box.
It's compatible with all Windows� versions, and it accepts an unlimited number of clients.
Also features ICQ and CGI notifications.
You can obviously connect to the remote computer from any operating system that can run a direct connection terminal
(all operating systems should come with a telnet-type application).
Theta is hosted by "winlogon.exe" on NT based systems, and by "systray.exe" on non NT systems. Draw the resulting conclusions.
The server is just a dropper, that contains the actual server file. This is done because it needs to have a special format.
IMPORTANT: Do not compress/crypt or otherwise modify any of the files in the package, or any files resulting from the application!
It's very likely that, by doing so, you will render the application more or less unusable. So don't wonder that after you modified the server,
it doesn't work, crash, w/e.
And also, if you modify the application, please don't ask "why doesn't it work" - type questions.
I explained earlier why the server is somewhat large (if 6 Kb is large for you :). Without the 9* support, it should be about 4 KB or less,
but some people still use 9* (why, I don't really know...).
You might also want to know that the editor is a little bulky (32 Kb) because it contains the packer (FSG 2 by bart).
GhiraiIf you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.