> Spyware Encyclopedia Page 62 > Godmessage

Godmessage removal

Spyware Godmessage Information
Name: Godmessage Category: Vulnerability Date: 2001-10-02 Author: Nicula Laurentiu Dangerous: Yes

Godmessage is Vulnerability - spyware.
If conditions are met, simply viewing an HTML page with Outlook in Preview Mode or a web explorer will install files into the user´s machine. Exactly what this parasite does depends on the version. From the doc: What this does, in a nutshell - it uploads a hex´d version of the Thing server v1.6, reconstructs it into an executable, runs it... then, on next reboot deletes all of the files in the startup folder before they are run a second time. It is exploitable by email, webpage, or newspost. There has been a patch released for the script lib... but, because MS does not advertise these things & people do not update their platforms [´what the hell is script lib?´, ´do I have to reboot, no way!´, they say]... you will find a very big number of platforms "at risk". **************** Also included, just for kicks - a version that formats the c drive. An older, slightly "loud" version that instantly downloads & runs a trojan from a Xoom FTP site of your choosing, & instructions so you can basically use any application other than just the Thing, as long as it is about 8k in size. Also, included is an experimental destroyer that will start deleting everything not running on your hard drive at the time - immediately apon viewing the HTML. You should remove it from your system as soon as possible.

Godmessage description by Nicula Laurentiu:

Vendor: The Godmessage III. PROPAGANDA -> The Godmesage is the trojan you´ve never heard of. You view the webpage & it uploads the binary to your system. You never know what hit you. It is been tested thousands of times. The general public isn´t aware of these sorts of code because they´re designed not to be found on people´s platforms. Yet, I present this code in good faith to make people completely aware of the dangerous situation they stand in. The code holds a binary trojan hexed in there. Soon, its´ ports will be on scanners across the world, then on firewalls across the world. The code just as easily could hold any binary 9k or under, including CIH & several other small pieces of code that do horrible things. For VULNERABLE See below LAST MINUTE NOTES:-> This code should still be considered rough. ie, don´t spend a lot of time on it. command.com is used, which has been tested fine on w2k, but would not work on NT, you must find & overwrite everything with cmd. But, who uses NT anymore? The self-delete stuff is buggy & needs some work. Anyway, there are some limitations, but - of course - these are minor considering the number of platforms at risk. If anything from here, I´d wanna port everything to vbs & finish it from there... though, hopefully, I would not have the compulsion. Lotsa of other stuff to do. Using through email or news-> Don´t, but in theory, one would wanna have a refresh to a webpage because of the weight of this. A DHTML refresh. One can even surmount the recent Outlook "fix", by closing reading www.securityfocus.com. BUT NO ONE IS USING THAT, SO DON´T WORRY. In my humble opinion, MS needs to inform users that they need to upgrade to the security fix, & they need to implement an automatic upgrade system that has been okayed with the privacy teams immediately. HISTORY -> It was orginally released well before bubbleboy or KAK, the more famous virii that used this same sort of bug. Again, as I stated in the 1st readme, this could´ve been a worm. It´s inevitable someone´ll make a worm with this bug. I didn´t make it into worm now nor then because that would be the same thing as releasing a virus. It´d destroy the internet, & disrupt the financial platforms... which might seem pleasing to those who do not think. But, the fact is that it´d ultimately only hurt the poor. The godmessage was originally called simply "evil.html". WARNING: READ FIRST! This code is marked CONFIDENTIAL. Which you, by reading this, agree means, that you may not view this code. "This code" meaning godmessageIII.html & flipscreen.html. The 2nd rule is that you may not speak of the existance of this code. And, the 3rd rule is that this code does not exist. The 2nd rule includes the meaning that you may not show this code to anybody else. Pre-Amble:-> This time, I made it easier to use because I got rained with tech support ever since. (Always the same inquirys). Basically, people were having a hard time cutting & pasting the code in there, because even a space or an extra semi-colon will mess it up. Which sort of defeats the purpose of releasing demonstration code. USAGE INSTRUCTIONS-> TWO FILES IN HERE:-> godmessageIII.html - view, get rooted. It´s a modified tHing 1..6 server without ICQ notification, without hide process (so it´ll run on NT/w2k) A fellow named splyc took out the ICQ notification which I got from blade´s forums. I took out the hide process function because it was not allowing the tHing to run on NT or 2k. The tHing listens on port 7777 & the password is pass. Get the tHing client at come.to/soul4blade Warning: The client doesn´t quite work right with this modification, however while it may appear like the upload & run function does not work - it does. The progress meter is just busted with this. flipscreen.html - does not root system, runs a "joke virus" for fun. Flips persons screen everytime they reboot. Just have them view the html, through webpage, whatever. CREDITS - > Georgi Guninski found the bug in the 1st place. The man is a walking bug finding genius. This project has absolutely no relation to him. Stone Fisk - helped in rooting out a last minute bug, & helped in the creation of the original godmessage a great deal. 6IT - for a last minute bug fix, as well, the idea to change c:\ to windir. DOH! (I do have a real job) Exxtreme, Nicula Laurentiu of eEye (all who helped me with the original godmessage). Sugien - of alt.hackers.malacious, who got me onto the track about hexing any file to use in the 1st place with this, and whose name I forgot in the previous packetstorm/tlsecurity release. Dabbler, aka ChuckX, aka Chuck -> who helped test the original and helped make the tHing with Blade Blade, fc, M_R, Ganja51, slim -> the guy´s on the tHing team (of whom this project has no association with except that it uses Blade´s trojan) "Shoutz Out" - > all of the regular bullshitters at alt.fan.cult-dead-cow, everyone else on the cDc Hacktivism project, the guys who made spam a delicious treat; GM, for recalling their tires; televangelists for preaching bullshit for money (and, I can say that & not be in trouble) ; AND TO THE CLUB OF WHICH WE CAN NOT SPEAK OF vulnerable MS Internet Explorer 5.5 - MS Windows 98 - MS Windows 95 - MS Windows NT 4.0 - MS Windows NT 2000 Microsoft Internet Explorer 5.01 + MS Windows 98 + MS Windows 95 + MS Windows NT 4.0 + MS Windows NT 2000 Microsoft Internet Explorer 5.0 for Windows NT 4.0 + MS Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 + MS Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 + MS Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 - MS Windows NT 2000 Microsoft Internet Explorer 4.0 for Windows NT 4.0 + MS Windows NT 4.0 Microsoft Internet Explorer 4.0 for Windows NT 3.51 - MS Windows NT 3.5.1 Microsoft Internet Explorer 4.0 for Windows 98 + MS Windows 98 Microsoft Internet Explorer 4.0 for Windows 95 + MS Windows 95 Microsoft Internet Explorer 4.0 for Windows 3.1 Microsoft Outlook 97.0 Microsoft Outlook 98 - MS Windows 98 - MS Windows 95 - MS Windows NT 4.0 Microsoft Outlook 2000

This Vulnerability is also known as:

•GodMessage.
• GodMessage IV.

>> Delete Godmessage automatically - Download Spyware Doctor

Godmessage Removal Instructions
Kill the following processes godwill.exe
Remove the following files default.html, example.vbs, god.bin, godwill.exe, outlookjs.class, readme.txt, readmede.txt, readmees.txt, readmeit.txt.

Bookmark Godmessage page

Previous Spyware: Remove Goddamn

Next Spyware: Remove Godmessage 3