> Spyware Encyclopedia Page 87 > Messiah

Messiah removal

Spyware Messiah Information
Name: Messiah Category: RAT Date: 2000-11-15 Author: RSC Coded in: Delphi. Compressed with ASPack. Dangerous: Yes

Messiah is RAT which is malware.
Installing it is highly not recommended.

Messiah description by RSC:

Creator: The application has a lot of features, & very useful extras: - you can control the remote machine through your mobile phone!! How?! It´s very simply: you just send an email through sms from your handy to a given POP3 emailaddress, & the server will interpeter it. - you can control more than one machine with your handy... - you can mailbomb anyone... Sounds good, ehh? :) History: It was accessable a friendonly beta version of this prg, but I got very few feedback :( If you´ve any idea, write me them. [+] Winzip icon for the server :) [*] Crypted settings in the server [*] New keylogging engine, so the server probably works on NT yet [*] New communication protokoll between clients & server so you can control the server with a pure telnet client too. So it´sn´t neccesary for me to write a linux client, too :) What´s new in mE$$iAh v1.0? 2000.08.18. [*] New readme file, I corrected some englisherrors... [*] You could start the server twice... I fixed this bug. [+] Many new commands´re added: MD, RD, DIR, STARTKL, STOPKL STARTFTP, STOPFTP, STARTBOMB, STOPBOMB, MSGSHOW, WALLP, CACHEPWZ, SLEEP, SOUND, LISTPROCESS, KILLPROCESS, DONTDELETE, INFECT [-] The command PWZ is not any more, its new name is: RASPWZ [+] You can make own server file with the makeserver application, called tHe_g0D. [*] The client has new design (:-) & its new name is mADaNgEl. Thanks for the logo to Nestan! [*] I´ve changed the name of the MSG command to MSGDRAW. [*] More optimalization on the code. [+] The server uses three random filenames when it copies itself to the WINDOWS\SYSTEM directory [+] Formater has helped me a lot. He wrote the linux clients, too... Big large thanx! Any file: madangel.exe - this is the clients... - size: 307.200 messiah.exe - this is the server... - size: 196.608 readme.txt - you´re reading it now :) - size: XXXXXX thegod.exe - this is the makeserver... - size: 142.336 The server features: [the examples are beetwen these signs] Installing: - taketh mode - it starts itself automatic when Windows starts... Note: for these two functions you must only start the server executable, then you can delete the file, it isn´t needed more time!) - you can protect the server with password, the default is SPY [+PASWnewpassword] - the default port for the server is 2000, & you can modify it, of course. [+PORTnewportnumber] - you can near the server [+CLOSE] - you can near the server, & remove from the machine [+REMOVE] - you must define the host of the POP3 server, via you control the machine [+POPHSTexamplehost] - you mut define the username to the POP3 server [+POPUSRexampleusername] - you must define the password for the username [+POPPWDexamplepassword] - you can define the host of the SMTP server [+SMTPHSTexamplehost] - you can define the username to the SMTP server [+SMTPUSRexampleuser] - you can define the emailaddress to send the answer emails to [+SMTPS2exampleemailaddress] - you can define the timer to checking the online status. Default is 60000 (=1 minute) [+TIMERexamplemilli2ndsnumber] Note: you must define up the three POP settings, then you can control the server, & upload file through email. If you define up the SMTP suxxz, then you´ll get email notification for the victims online status. The server checks the online status periodically, see the TIMER value for more. You cannot control the server through your mobile, while you do not define up the POP3 correctly. File management: - you can execute files on the machine of the server [+EXECfiletoexecute parameter] - you can delete files from the server [+DELfiletodelete] - you can copy file on the server [+COPYfiletocopy directory] - you can move file on the server [+MOVEfiletomove newname] - you can download file from the server through email [+GFILEexamplefiletodownload] - you can make a directory on the server [+MDdirectoryname] - you can remove a directory on the server (like deltree!!) [+RDdirectoryname] - you can list the filenames in a directory (the default is *.*) [+DIRc:\*.*] - you can send the server to an email address with the name clinton.jpg.exe :) [+INFECTiveryhate@domain.com] Note: you can transfer any file per email, too. To upload file, you must set the POP3 settings, to download file, the SMTPz. There´s already a new thing to use for filetransfer: the ftp server. Miscellaneous: - you can open the CD tray [+CDOPEN] - you can near it, too :) [+CDCLS] - you can turn watch off [+MONOFF] - & on, too [+MONON] - you can near the actual window [+CAW] - you can send message to the remote machine [+MSGSHOWThis is an example message] - you can draw a message to the remote machine´s display [+MSGDRAWThis is an example message] - you can change the wallpaper [+WALLPc:\logo.sys] - you can play sound [+SOUNDc:\windows\media\The MS Sound.wav] Machine: - you can suspend the system [+SUSP] - you can restart the machine [+REBOOT] - you can shut down the machine [+POWER] - you can lock up the remote system [+LOCKUP] - you can start keylogging (it´ll store the log in C:\WINDOWS\SYSTEM\WINA386.DLL) [+STARTKL] - you can stop the keylogging [+STOPKL] - you can start FTP server [+STARTFTP] - you can stop FTP server [+STOPFTP] - you can send mailbomb to anyone (if you do not use parameter, the server will send the mails to the previos victim) [+STARTBOMBemailaddress] - you can stop it [+STOPBOMB] - you can pause the server processing the commands for half minute Eg. you send an email with this subject: [+CDOPEN+SLEEP+MSGSHOWyou f*ck+SLEEP+OPENCD] Note: power off does not work properly on NT, I think. There´s Lockup code for NT. Datas: - you can get the RAS passwords [+RASPWZ] - you can get the cached passwords [+CACHEPWZ] - you can get the current username [+CUSER] - you can get the directory of windows [+WDIR] - you can get the active processes [+LISTPROCESS] - you can kill process [+KILLPROCESSprocessletter] Final Note: to control the server through you mobile phone, you need to send an sms-email to the emailaddress POPUSR@POPHST. The commands have to be in the subject. you can use more than one command in once, eg: +CDOPEN+MSGYou f*ck!+LOCKUP If you´d like control more than one computer through email, then define the POP things same on all computers, then you can send command like this: [+DONTDELETE+MS

This RAT is also known as:

•Backdoor Program - named by Panda.
• Backdoor.Delf.ap - named by a.
• Bckdoor.Messh.10.
• Backdoor.Win32.Messah.10 - named by Kaspersky.
• Win32/Messah.10 trojan - named by Eset.

>> Delete Messiah automatically - Download Spyware Doctor

Messiah Removal Instructions
Kill the following processes messiah1.0_server.exe, j4ysrv.exe
Delete these registry entries HKEY_LOCAL_MACHINE\software\spy
Remove the following files backdoor.messiah-0_1-client.trojan.vex, messiah1.0_server.exe. j4ysrv.exe in Windows\system\

Bookmark Messiah page

Previous Spyware: Remove Messev.3016

Next Spyware: Remove Messiah 1.0