Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

Genie 1.4

Released 20 years, 1 month ago. March 2006

Copyright © MegaSecurity

By prncipia

Informations
Author prncipia
Family Genie
Category Remote Access
Version Genie 1.4
Released Date Mar 2006, 20 years, 1 month ago.
Additional Information
Server:
dropped file:
c:\WINDOWS\cprog.exe               Size: 18,558 bytes 
c:\WINDOWS\system32\regmont.exe    Size: 18,558 bytes 


port: 1179 TCP


added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Run"
data: C:\WINDOWS\cprog.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "RegMon"
data: C:\WINDOWS\System32\regmont.exe 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List


tested on Windows XP
March 10, 2006

Author Information / Description
Genie is a simple Telnet backdoor program.

-When Genie.exe executed, it opens port on 1179.
-Creates a copy of itself as %System%\regmont.exe and %windir%\cprog.exe
-And adds the follow values in the registry to be executed each time Windows starts.

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"RegMon" = " %System%\regmont.exe" 
 
"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"Run" = "%windir%\cprog.exe"  


Genie commands:
Mypass                    Change default passowrd
Myport                    Change defult port
Lock                        locking Taskman and registry editors (win2k/xp)
UnLock                   Unlocking Taskman and registry editors (win2k/xp)
Reset                       Reboot windows.
Exit                          Close current connection.
Vshutdown              Shutdown the virus.


Now to conect to remote host you have to type   Telnet "targets_ip" 1179
then type "hello" to activate the program.
And the last step is to ask you the password and by default password is "katerina".
That's it.

prncipia

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.