Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

Spybot 1.2a

Released 23 years ago. April 2003

Copyright © MegaSecurity

By Mich

Informations
Author Mich
Family Spybot
Category Remote Access
Version Spybot 1.2a
Released Date Apr 2003, 23 years ago.
Language C, source included
Additional Information
Server:
dropped files:
c:\WINDOWS\SYSTEM\avg32.exe   Size: 20.512 bytes 
c:\WINDOWS\SYSTEM\KEYLOG.TXT 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "Winsockport" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Winsockport"

Author Information / Description
Spybot1.2a by Mich	
Opensource irc bot
		 
Date: 08:04:2003

Fixed the kuang spreader 


Date: 05:04:2003

Features: 

- HTTP server
Bot has now a build in http server with option to set rootdir and port 
example: if you set port t0 81 and rootdir to c:\ and you go to url http://victums.ip.address.com:81/ then it will list al files
and dirs in the c:\ dir (same as a filemanager)

- Threads list list of all running threads and option to kill a thread

- Port scanner

- Syn flooder

- Kuang2 and sub7 spreader 

- KaZaa spreader

- Remote cmd.exe runs cmd.exe hidden on the remote pc this allows you to do commands like netstat ftp telnet etc. etc. (doesnt work on win9x as far as i know)

- Keylogger Online and offline keylogger

- PortRedirect

- List processes  
Shows al running processes. 
You can kill a process.

- AV/Firewall killer

- DCC Send
You can send a file to the bot with the normal dcc send option in mIRC (only tested it with mIRC6.03 get it from www.mirc.com)

- Get File
Download a file from the bot�s pc (the bot will start a dcc send)

- DCC Chat
Just normal dcc chat option in mIRC all commands will also work here, use this if you want do giff a command that has a lot of output most irc servers will disconnect the bot if it sends a lot of data.

- List files
List al files and dirs within your sears query example list c:\windows\*.exe will list al .exe files in the windows dir

- Hostmask match login
When you do the login [password] commands the bot checks if your hostmask matches a hostmask in the trusted hosts list (settings.h). if not you cant login 

- Raw Commands (on connect and onjoin)
Bot reads a list of raw commands when its connected or joins a channel
Example:
On join:
	MODE $CHAN +nts
	MODE $CHAN +k trojanforge
On Connect
	MODE $NICK +I

- Computer info
Gives some pc info including ip address
 
- Topic commands
Option to gif the bot a command with the topic (when the bot joins the channel)

- Lists the passwords (only win 9x)
- Execute, delete, rename file And make dir
- Sendkeys 
- Open/close cd-rom
- Reboot pc
- Disconnect for x sec.
- Reconnect
- Quit 
- Raw commands


Commands list

Login password
raw [raw command]							(example: raw PRIVMSG #spybot1.1 :hello)
list [path+filter]	  						(example: list c:\*.*)
delete [filename]							(example: delete c:\windows\netstat.exe)
execute [filename]
rename [origenamfile] [newfile]						(example: rename c:\windows\netstat.exe c:\windows\netstatbackup.bak)
makedir [dirname]							(example: makedir c:\test\  )
startkeylogger 								(info: starts onlinekeylogger and output's to the channel\query\dcc chat)
stopkeylogger
sendkeys [keys]								(info: simulates keypresses, to simulate return hit ctrl+b (bold in mIRC) and for backspace ctrl+u (underlined in mIRC))
keyboardlights								(info: flashes his keyboard lights 50x)
info									(info: gives some info)
passwords								(info: lists the ras passwords in win 9x)
listprocesses								(info: lists all running proccesses)
killprocess [processname] 						(example: killprocess taskmgr.exe)   NOTE: if with listprocesses the entire path shows up you must use it with killprocess to)
reconnect
disconnect [sec.]							(info: disconnect the bot for x sec. if sec. is not given it disconnect the bot for 30mins.)
quit									(info: bot quits running)
reboot
cd-rom [0/1]								(info: opens\close cd-rom. cd-rom 1 = open cd-rom 0 = close)
httpserver [port] [root-dir]         					(example: httpserver 81 c:\)
syn [host] [port] [delay msec.] [times]					(example: syn 127.0.0.1 80 100 1000)
redirect [input port] [host] [output port]				(example: redirect 100 eu.undernet.org 6667)
threads									(info: will list al threads)
killthread [number]							(info: kills the selected thread)
get [filename]								(example: get c:\windows\system\keylogs.txt will trigger a dcc send on the remote pc)
opencmd									(info: starts cmd.exe on the  remote pc hidden)
cmd [command]								(info: sends a command to cmd.exe example: cmd netstat -an)
scan [start ip address] [port] [delay] [filename] 
example: scan 127.0.0.1 17300 1 portscan.txt 
filename is optional when used result will be logged to the filename, if ip is 0 a random ip is generated

DCC

DCC chat & DCC send & DCC get works with any normal irc client in mIRC the command is: /dcc chat [nickname] and: dcc send [nickname]

Mich

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.