Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

ForBot 2.4.2

Copyright © MegaSecurity

By ?

Informations
Author ?
Family ForBot
Category Remote Access
Version ForBot 2.4.2
Additional Information
dropped file:
c:\WINDOWS\system32\svxhost.exe
Size: 376.832 bytes 

port: 15802 TCP

startup:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service"
data: svxhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "SVX Control Service"
data: svxhost.exe 

tested on Windows XP
November 29, 2004

Author Information / Description
ForBot 2.4.2 [private(internal)]
AfroNerd & ghosn
based on AgoBot 2.3
------------------

Changes (06/08/04):
 ghosn - improved packet sniffing shows LESS spam and gives more useful information
 ghosn - logic command fixed now back to 'logic.if'
 ghosn - show total sends after every complete ftp transfer
 ghosn - all redirect commands now working
 ghosn - fixed -o, -s, -n (were not working before)
 ghosn - FOR DEBUG: added better connection debug messages
 ghosn - lsass removed variable that was reseting random dport value

Changes (06/05/04):
 ghosn - ftp shows total bytes sent
 ghosn - ftp/advscan messages changed
 ghosn - !ftp.stats command shows total sends and current port
 ghosn - !ftp.stats [x] only display if total sends are greater/equal to 'x'
 ghosn - fixed bad-encrypted commands
 afronerd - fixed multiple topic again only uses 1 bar (|) for dividing now

Changes (06/04/04):
 ghosn - advscan clean up
 ghosn - FTP displays messages to scan channel
 ghosn - only display stats over x amount (!adv.stats [stats-over])
 ghosn - cleaned up optix scanner (little faster & cleaner)
 afronerd - setcvar, setcvard (shortcuts to registering cvars with and without descriptions)
 ghosn - open cmd works properly
 afronerd - multiple topic commands work properly
 ghosn & afronerd - file search (!file (directory) (to-look-for))

Changes (06/03/04):
 ghosn - optix scanner + masterpass
 afronerd & ghosn - WORKING(so gooood) lsass with CSendFileFTP
 afronerd - multiple topic command using ||
 afronerd - AddEx function to display and add stats

Changes (06/02/04):
 afronerd -	cleaned up shit
 afronerd - 0 warnings ;x
 ghosn    - dcc send

Changes (05/22/04):
 ghosn    - packet sniffer
 afronerd - ssl compatability
 ghosn    - config
 afronerd - logic
 afronerd - cdkey logic
 ghosn    - yahoo/aim
 afronerd - scanner: rBot 3.3 Base Implimented for advscan && dcom
 ghosn    - netstat (!netstat)
 afronerd - netstat wildcard (!netstat [port] [state])
 
------------------

Features:
 - Encrypted command/config skeleton (hidden strings)
 - Limited Packeting Sniffing
 - SSL Compatability
 - Logic
 - Game CDKey Grabber
 - Yahoo/AIM ScreenName Grabber
 - MSN Contacts / Address Book Grabber
 
 - Online:
   - World-Wide speed test
   - net info
   - irc raw commands
 - Computer:
   - shutdown
   - reboot
   - logoff
   - command exec
   - run file
   - system info
   - registry reading
   - enhanced secure
   - process list
   - process kill (name/pid)
   - add/remove/list services
   - add/remove registry run locations
 - Scanning:
   - ADVScan
   - dcom
 - dDos:
   - forsyn
   - synflood
   - udpflood
   - httpflood
   - pingflood
 - Serving:
   - HTTPd Web Based File Browser
 - Redirect:
   - Socks4
   - Socks5
   - TCP
   - GRE
   - HTTP

--------------------------

ToDo:
  - check for suspicious bots in services
  - aim buddy list retrevil
  - yahoo password decrypt
  - mirc perform.ini checking
  - desktop snapshot served off web-server
  - logic rewrit
  - remove unsightly string from encryption - maybe rewrite using int forced to char *
  - keylogging (msg all keys pressed to a channel)
  - packet sniff bots seperatly
  - mirc DDE hooking to receive/send variables/commands
  - MD5 Brute Force 
  - shell
  - port scanner
  - http dir. exploits (!http.exploit mywebsite.com/exploits.txt targetsite.com)

 Commands:
() -> required
[] -> optional

bot.cpp
 - b.id
 - b.rndnick
 - b.secure
 - b.sysinfo
 - b.remove (bot nickname)
 - b.flushdns
 - b.open (file)
 - b.quit
 - b.cmd (command)
 - b.exe (file)
 - b.dns (host)
 - b.longuptime [days]
 - b.nick (nickname)

cvar.cpp
 - cvar.list
 - cvar.get (cvar)
 - cvar.set (cvar) (value)

findfile.cpp
 - find (directory) (search-for)

httpd.cpp
 - http.start (port) (directory)
 - http.stop -> not done
 - http.snap -> not done

irc.cpp
 - i.raw (command)
 - i.reconnect
 - i.part (channel)
 - i.mode (mode)
 - i.msg (target) (message)
 - i.notice (target) (message)
 - i.disconnect
 - i.gethost (search)
 - i.netinfo
 - i.join (channel)

logic.cpp
 - logic.if (type) (mode) (value) (command)

mac.cpp
 - set (user) (password)
 - bye

netstat.cpp
 - netstat [port] [state -e / -l]

utility.cpp
 - ftp.dl (ftp web-based address) (local location)
 - ftp.exe (ftp web-based address) (local location)
 - ftp.up (ftp web-based address) (local location)
 - http.dl (full address) (local location)
 - http.exe (full address) (local location)
 - http.up (full address) (local location)
 - pc.shutdown
 - pc.reboot
 - pc.logoff

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.