|
· Overview ·
|
Overview |
|
Summary: |
Remote windows administation tool that uses BackOrifice or NetBus servers on Windows. Connect to a remote PC and capture text, passwords, send system messages, play sounds, show bitmaps, send victim to any URL, change servers port, etc. Recent versions have GNU support, NetBus commands, portability to other platforms (BeOS, QNX and 64bit architectures like Alpha) and async network I/O. |
Vendor Notes: |
GirlFriend 1.3 From the doc: GirlFriend 1.3 by General Failure 1. DESCRIPTION Girlfriend is a program which allows you to get information on applications running on remote PC. That means that if any computer connected to net is infected with GirlFriend - you can connect to this PC and "steal" such information as: - text, that "infected" user enters to any window containing password field; - passwords, which "infected" user enters to password fields. You also can: - send "system" messages to remote PC; - play sounds; - show bitmaps (.bmp pictures); - send "victim" to any URL; - change server's port; - hide GF Client with BOSSKEY=F12; - scan subnet for infected servers; - ping server; - save windows list; In future versions you'll find a file manager... GirlFriend 1.3 pack includes: a) GirlFriend Server (windll.exe) - this file is for "victim"; b) GirlFriend Client (gf.exe); c) help text file (gf.txt) 2. HOW DOES IT WORK? GirFiend Server sits on infected computer and looks for windows in which user enters passwords. Server writes these passwords with other textfields in that window to registry and send this list on your demand. 3. INFECTING First you have to infect "victim": if you haven't physical access to victim's PC - send him windll.exe. You may rename it and/or attach it to any other executable file using silkrope (you may take it on www.netninja.com/bo/silkrope.html). When victim executes this file, GirlFriend will write itself to Windows' directory and rename itself to windll.exe. It also will write a string "Windll.exe= 4. CONNECTING FROM CLIENT To connect to GirlFriend Server run GilrFriend Client (gf.exe) on your PC. Then in field "IP:" enter IP address of infected computer. In field "Port:" enter port which GirlFreiend Server "sits" on (default=21554). Then press "Connect" button. When client connects to server in statusbar "Connected to: " appears. If there will be message like "Error connecting to " - it means that server is not active (may be victim hadn't execute it?). You also can scan subnet for infected PC's writing ip like this: "194.83.11.1+ 254". 5. COMMANDS When you are connected you can: - press "Show Passes" button. It will show a list of processes (windows) containing password fields with passwords and other textfields data in this window (e.g. window of remote access with Username, Password, Connection name, etc.). - press "Send Message" button. There will appear a windows with types of system messages which you can show on remote computer. - press "Reset Password List" button which deletes the server's password list in "victim's" registry. - press "Custom" button to enter custom commands to server. Here the list of them (instead of words in parentheses you have to write specified data( without parentheses)): TEST? - sends "Are you alive?" request to server. Server's answer in "Server's answers" list must be "Server is alive!" ver - asks for server's version KillHER - kills server (clears registry from server, but it doesn't delete windll.exe from Windows' directory) {U} {S} {P} DOWN - switches "looking for passwords" timer on server OFF (server won't scan for passwords) UP - switches "looking for passwords" timer ON setport That's all I think... I don't remember more :) You can press F12 to tray client and then press on trayicon with right button to use these commands from popupmenu. Press "About" button to know "more" about this program. Press "Save list" to save windows & passwords list to text file. I think that's all what I can tell you about my program... If you'll have any questions/suggestions please write me to gfailure@iname.com. Enjoy! Regards, General Failure. P.S. Oh! I have forgotten to notice that it also takes passwords from Web sites which infected user inputs! |
Alias: |
Backdoor.GF.13, Backdoor.GF.135.a |
See Also: |
Kid Terror 1.0 |
Category: |
RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. |
Variants: |
|
Similar Pests: |
RAT |
Origins |
|
Author: |
General Failure |
EMail: |
gfailure@iname.com |
Programming Language: |
Delphi |
Date of Origin: |
Variants from November, 1998 to September, 2001 |
Place of Origin: |
Russia |
Distribution |
|
Prevalence: |
|
Clot Factor: |
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone. |
Countries Affected: |
In the past three months, we have received reports of GirlFriend in United States. |
Operation |
|
Platform: |
Windows 9x. |
Default Port: |
21554, 22554 TCP More info about ports. |
Storage Required: |
|
Restart: |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Windll.exe" Autostarting Pests |
ScreenShot: |
|
GirlFriend 1.3
GirlFriend 1.35
GirlFriend 1.35 client (a)
Risks |
|
Detection Issues: |
Difficult to detect by design. May hide from process list. May install with variable names in variable locations. |
Detection and Removal |
|
Automatic Removal: |
|
Manual Removal: |
Follow these steps to remove GirlFriend from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake. |
| Stop Running Processes: Kill these running processes with Task Manager: | |
| Remove Files: Remove these files (if present) with Windows Explorer: | |
Research |
|
File Analyses: |
|
More Info: |
|
Research By: |
|
Last Revised: |
April 03, 2005 |
PestPatrol detects this.