Kwisatz

If you mean insults, anything but 'Yo Moma'. Nobody cares about their mother really, but they pretend to show interest. If somebody gives you a Yo Moma, just say "I don't give a **** about a fat old haggety *****." Of course, I love my mother, but lots of people don't.

Scroll up and down your playlist slowly so winamp scans all the tracks that you have. i DO do that, but when i generated the list into HTML it didnt work... MY computer is currently KIA, some program that i downloaded that was supposed to get rid of Kazaa COMPLETELY has in fact disabled my computer from connecting to the internet... thanks alot, Merc :roll: i know, sometimes Winamp crashes when i play certain songs. btw, im crazy, so how do i go about converting those tracks to mp3? Well, just Google for "wma to mp3 converter" and you'll find something. Google is your friend :). That's how I did it.

note that those Track # files are from Reanimation, Linkin Park's second album...dunno why the names havent changed though, so any suggestions would be appreciated :wink: Eww...you use WMA! Seriously, I'd convert all those tracks to MP3, and go to universal compatibility. Winamp has some problems playing WMA anyhow...

No, it doesn't. I've been a member for 1.25 years now, and I only have a 500-some count cumulatively. Lately, though, I've been spamming (bad me!), not on purpose, but I've been trying to reply to every topic I see. I have to get out of that habit...

You only just figured that out?? :lol: . They're meant as a temporary replacement or for people too cheap to get their own. Besides, I'm upgrading it soon :P.

Make a quick one yourself here Dang it, I'm tired of telling people that. Too bad I can't sticky anything about it...

I found some tuts and now I'm messing with layers and such

I found some tuts and now I'm messing with layers and such

This guide was on the old forums. I dug it up from my backups and reposted it here, in full form, except with the last section completed and some of the more sensitive material removed. Suggestions welcome. BTTF Man's Ultimate Insider's Guide to Trojans "Everything you wanted to know because you were victimized but were afraid to ask!" Well, after seeing all of the "I've been hacked" posts and such, I've decided to write a guide about trojans and how they work. However, what makes this guide special is the fact that it's from the malicious user's point of view. Meaning, rather than speculating from reports of a trojan and such, I have actually gotten information about the forces behind the trojans (I will not say how, because the last time I did, certain people got mad at me, and I don't blame them). DISCLAIMER: I do not guaruntee that this guide is free of technical, spelling, or grammatical errors; however, I have done my best to make it so. I will not be held responsible for whatever you do with the information contained herein. I wrote everything myself and took all screenshots, unless indicated. Also, please note that I will be posting this in seperate sections which I will release at regular intervals (daily, I hope), since I am in impatient, stubborn little monkey, and so you don't feel overwhelmed having to read a whole bunch of technical ramblings at once :P. Now, let us begin! BASIC TROJAN PROCESS AND TECHNIQUE Section I; Added April 27 2004 What exactly is a trojan? How is it different from a virus? The most commonly accepted definition of a trojan is any malicious program that allows a malicious user (which will be referred to as a hacker from here on in, even though they would be crackers and aren't even that) to control and/or monitor your computer. The primary difference between a trojan and a virus is the fact that viruses are destructive. While a trojan can be used for destructive purposes, it is most often used by a person to obtain information, such as passwords, or just 'for fun'. And, trojans do not [usually] replicate themselves and spread, although the user can manually email/IM/whatever it to the victim's friends. A trojan may also be referred to as a rootkit or Remote Administration Tool (RAT for short). What groups are trojans classified into? Trojans are classified into four primary groups: keyloggers, 'lite' trojans, and full trojans, and downloaders. A keylogger's primary function is to log the keystrokes and windows of a victim so that passwords may be obtained, but it may also contain several other small features. Lite trojans are trojans that include basic capabilities such as screen capture, keylogger, file manager, and the like; they are used seldomly by avid hackers. Full trojans are full-fledged trojans that have a great many features, and are the most destructive. The downside to this is that the file size is relatively big (200KB-ish regular, 70KB-ish UPXed; more on this later). This is where the next group of trojans come in. What is a downloader? A downloader is a small transparent program that downloads and executes a file/files from an HTTP server, or a website. This means that it can be easily bound to another program, since it is so small (more on binding later). Downloaders are often used to download a full trojan, saving file size and making it more stealthy. How would I be infected? Well, there are many possibilities. The first is that you downloaded an e> What is binding? Modified April 28 2004 Binding is the process of taking two seperate programs and combining them into one, somewhat like a .z!p file, only an .e> BINDER CODE (what seperates and executes the combined files) ------------------------------------------------------------ FILE 1 (one of the files to be extracted and executed) ------------------------------------------------------------ FILE 2 (the other of the files to be extracted and executed) Then, when the bound file is run, it will either execute or drop a file in a specified folder. So, even if an application loads, it may have a trojan bound to it. Some of the better binders may also bind more than two, as well as scramble it and UPX or FSG it. What is UPX and FSG? UPX and FSG are two methods of taking an executable file and making it smaller through compression. This is similar to a .z!p file in the aspect of compression, but it differs in the facts that it doesn't need an external program to decompress it and that it is only one file, as in the below diagram: DECOMPRESSION CODE (what decompresses the program code) ------------------------------------------------------------ PROGRAM CODE (the actual program to be ran, only compressed) As I mentioned earlier, UPX and FSG can take a 200KB file and make it 70KB, so watch out! What will happen in the infection process? Here are the actual steps of what happens when you get infected (in no particular order): 1. It will copy itself to the Windows or System folder and delete the original copy. 2. The trojan will run (duh) and connect to the internet. 3. It will notify the hacker through the chosen method of notification (details below). 4. It will add startup entries so that it runs when the computer starts up. 5. It will display a fake error message and/or run the program it's bound to. -OR- (if it's a downloader) 1. Connect to the internet and download the trojan. 2. Execute the trojan. 3. Delete itself. How does the hacker know I am online and they can connect to my computer and control it? Almost every trojan has built-in notification that uses some form of communication, the most popular ones are listed below. Email: An email is sent to the hacker with details about your computer and all info necessary to connect to it. SIN: Your computer sends a message to the hacker, and the hacker instantaneously receives the notification. They can then reverse-connect, thus bypassing a router or firewall. This is the only method of notification that can do this. The downside is that it can be easily traced (unless they're using a proxy or a service like NoIP), but many people still use it. YIM/MSN/AIM/IRC: The hacker receives a message via chat or IM giving them details. Website: Your computer invisibly visits a website and sends information to the website, which then logs your computer and adds it to a list. The hacker can then check this list and see the info your computer left. What will be in the next section: An inside look at one of the more popular trojans -All capabilities revealed -How to trace it revealed -How to remove it revealed -Screenshots of the builder What will be in sections after that: -Stories from actual hackers of what they do to their victims -More about how the trojan's underlying code works (geeky technobabble) -How to defend yourself (know what does and doesn't work, in great depth) AN IN-DEPTH LOOK AT CIA - A POPULAR TROJAN Section II; Added April 28 2004, Last modified on October 4 2004 Well, the information in the above section was only about trojans in general. In this section, I shall examine a specific trojan, which will be referred to only as CIA, as to avoid any Googling by some of the shadier forum users. This trojan is one of the more popular, ones, and out of Sub7, Beast, Optix, and NetDevil, it has the most extensive features. Believe me, NetDevil is NOTHING compared to this. I will be examining and analyzing how it works, what it can do, how to remove it, how to detect it, and how to trace it. Please note that these explanations do not apply to all trojans; you will have to go to other places for that. This is simply an explanation of one of the more advanced trojans, so you may be prepared for this and whatever else may come your way. Features: A general list of features compiled by myself is below: Here are the features that are available when the trojan itself is being created: Icon change UPX compression Many different startup methods (I'll talk about this in greater detail later) Ability to run a SOCKS (proxy) or FTP server Fake error message ...and this list is abbreviated, containing only general features, so watch out! Startup methods CIA has a multitude of different startup methods that, when used, can make the trojan almost impossible to remove, unless you know where to look. You can use the Microsoft utility msconfig to remove these references (except for two, which I will mention). To start msconfig, go to Start>Run and type msconfig. You will then be able to navigate through multiple tabs and views to check, uncheck, and delete startup references. **NOTE: I will not be able to provide exact filenames, since that is changeable by the hacker. Here are the startup methods available: Registry run: It starts up from the registry. Go to the Startup tab. If anything looks out of the ordinary, Google for it. If nothing comes up, is is most likely the trojan. Delete it. Registry run services: It starts up from the registry, but in a different location than the previously-mentioned one. If you see a duplicate of the entry you deleted from the above method, this is it. Delete it. ActiveX: This one is a bit fuzzy, but I think it's whenever an ActiveX (special type of add-on for programs) is run, the trojan runs as well. Nothing you can really do about this, I don't think. System.ini: It places itself in the System.ini folder. To remove it, go to the System.ini tab and look through all the sections. If you find an entry similar to the one from the Registry run, delete it. Win.ini: Same as System.ini, except in a different file. Do the same thing as described above to remove it. Explorer run: The trojan binds itself to the explorer[Caution: ExecutableFile] file, which is the core of windows, so there's nothing you can do about this, except restore a backup. Windows NT run: Not quite sure about this one, since I'm not on NT or XP, but from what I've gathered, it latches itself onto some of the NT-only files that are required by Windows to run. Connectivity information The trojan runs itself on ports 6222, 5222, and 4222 by default, although these can be changed by the hacker (but are often not). If you suspect somebody is connected to your computer, pray to God they are not monitoring your windows too closely and go to Start>Run and type in command. From there, type netstat -a and you'll get a list of ports. If anything says 6222, 5222, or 4222, they're in, and you should yank out your internet connection and remove the trojan immediately. The trojan also goes through Internet Explorer to use the website notification features. Check your history in Internet Explorer. If you see a site you haven't been to (hackers usually use Netfirms or Lycos UK), it may be the logger. Go to that page. If a page blank page or a page with a password entry box comes up, it's their logger. Remove the trojan immdeiately. Underlying code (GEEKY TECHNO-BABBLE) Although I will not provide exact code, the author of the trojan has showed some people how to do certain things. First of all, you must realize that the trojan is coded in Visual Basic 5 and 6, before you get anything else. That and the fact that the server (trojan) is coded in VB5, whereas the client and builder (control program and creator, respectively) are coded in VB6. Now, to the code! The trojan utilizes many of the core .DLL files of Windows to run. These files include, but are not limited to, kernel32.dll, user32.dll, and other files required by Windows. It also uses some of the built-in functions of VB to do things such as log keys, and uses plugins that are uploaded to the victim's computer to access certain functionality (more on plugins next). Plugins The trojan uses several external files to access functions that are otherwise not built into the trojan. For instance, all of the major features are integrated into the trojan, except for screen/webcam capture, password recovery, and MSN/Yahoo functions. This enables the trojan to maintain a small filesize. So, whenever the hacker uses these features, he uploads them to the victim's computer. The trojan can then use the features. The filenames of the plugins are static (always the same), and here they are: cjpg.dll - The screen and webcam capture functions. msn6.cip - The fake MSN messenger screen. yah5.cip - The fake Yahoo IM screen. pspv.cip - The password stealer. If you suspect you are infected, run a search for these files on your computer. If you find one, you are infected. Tracing It is very possible to trace the source of the trojan, either through their IP address, their No-IP address, or their logger hosting. To trace anybody, go to the MS-DOS prompt and type netstat -a to see a list of connections. If something with no-ip.com in it comes up, or anything on 6222, 5222, or 4222, make a note of the date, time, address, and any symptoms you had of infection. Then, if it's a No-IP address, go to their web site [http] and report abuse of it. If it is just a regular old IP address, note the date, time, and other junk and call up the local police station; they may be able to handle it. Or, if you checked Internet Explorer and found their logger page, send an email to the abuse department of the web host telling them about it. Congrats, you just busted a hacker :). Removal It is not very easy to remove a trojan of this caliber. But, here is what you can do: 1. Verify that you have the trojan. 2. Note the filename of the trojan from the startup entries, and delete them. 3. Delete the trojan (the filename you got from the startup entries). 4. Locate and delete the plugins (a file search will do). 5. Change your passwords. How the Server Builder Works The Server Builder is able to create a complete EXE with nothing more than a 2MB file. How is this possible without, say, a Visual Basic compiler, you might ask? Well, this trojan, just as many other related tools, use stubs, or parts of the end-product. The Server Builder generates the code from the entered values, and then merges it with the stub, creating a complete EXE. This may seem idiotic on the hackers' parts, but it isn't; this enables them to scramble/recompile/compile undetectable stubs, which mean undetectable servers, which mean undetectable trojans. Coming next: -How to defend yourself (know what does and doesn't work, in great depth) HOW TO PROTECT YOURSELF FROM CIA AND OTHER POPULAR TROJANS Section III; Added July 1 2004, Last modified on October 4 2004 How to defend yourself Here, I will talk, in great detail, about how to defend yourself from this and other trojans. Anti-virus This may or may not work. Some anti-virus applications do not go beyond the scope of simple self-propogating, destructive viruses, meaning that you are not protected against trojans or spyware. The virus which I talked about in this guide is not detected by Norton, partially detected by AntiVir, and completely detected by McAfee. So, my advice to you is to not open suspicious files. However, when I say that AntiVir partially detects it, I mean that it must get on your computer before it can detect it. And since CIA and many other trojans can shutdown anti-malware processes, the only truly safe choice out of the mentioned applications is McAfee. This does not mean McAfee is the best; it simply means that in this particular case McAfee is the best. My advice to you is to get Nod32, which is mentioned later in this guide. Anti-Spyware As with anti-virus, this may or may not work. Seldom do anti-spyware vendors classify trojans as spyware. Pestpatrol is the only one I know of that does. So, if you don't have McAfee, get PestPatrol. Firewall This can or cannot be useful. Once the trojan gets on your computer, it will sometimes try to broadcast the IP address or "phone home". If you have a firewall, this can be stopped, as well as the hacker connecting. However, if the trojan kills your firewall, this is pointless. But still, it's good to have a firewall. Avoiding infection The most vital part of stopping a trojan infection is to not even get it on your computer in the first place. This requires common sense. For instance, don't download files from suspicious websites or accept files from anybody, via IM or email. If your "friend" messages or emails you, ask your friend to bring a CD or floppy to your house to give you the file(s). Or, ask them to mail it if they live far away. Windows update A fellow reader mentioned that I neglected to mention the most useful tool of all - Window Update. What is Windows Update, you ask? Windows Update is a service, provided by Microsoft, to supply patches to fix the security holes on your machine. In regular terms this means that you download updates and the [majority of] security problems on your machine get fixed. In here, I have a step-by-step guide to using Windows Update. Windows Update for Dummies To do this, you will need: A computer, a mouse, a keyboard, an internet connection, a monitor, some semblance of wit, and the Microsoft Windows operating system. First, navigate in your Internet Explorer to http://windowsupdate.microsoft.com. You'll see a thingus like this: This means it is checking for the latest version of Windows Update. If any security warning pops up about Microsoft or Windows Update, click Yes. Then, after a short while, a thingus like this shall appear: This asks you to select what type of update to do. Express is for lazy people, like myself, and will only install the important stuff. The second option will install the entire thing, the big shaboozie, as it were. Click Custom Install, since we want the very finest for our computer. This page comes next in line: This means it's looking for updates. Leave this and check back in 5 minute intervals, until the next page comes up: Now, you can either install this big update called Service Pack 2 if you don't already have it (like me), or install other updates. I recommend installing SP2, but for our purposes let's install other updates. Click that option to continue. NOTE: You may not see this exact page if you have SP2. Just click Next or whatever it tells you to click. Here's the page where you get to choose the updates. Use the checkboxes to select which updates to install, and use the part on the left to select what category of updates to browse. When you're finished, click the Go To Install Updates link to install the updates. It will prompt you a second time; click the Install button. This will pop up: From here, you will have to do what the onscreen instructions say. You may need to restart your computer one or more times as well. In any case, once this is done and you've restarted, your computer has all the security vulnerabilities sealed and is good as new! There. This is not foolproof, and you can still be infected if you update a lot. But it's a good rule of thumb to update once a week. See the next section for other utilities that I recommend having in your anti-trojan arsenal. Popular Utilities Here are some of the utilities mentioned in this guide, as well as others that are useful Firewalls: ZoneAlarm FREE!!! Sygate FREE!!! Anti-virus: Norton Anti-Virus McAfee Anti-Virus AntiVir I RECOMMEND THIS OVER AVG!!! FREE!!! TrendMicro Nod32 HIGH DETECTION RATES, CONSISTENT AWARD WINNER Anti-Spyware: PestPatrol SpyBot I RECOMMEND THIS OVER AD-AWARE!!! FREE!!! Ad-Aware Online scans can be found at Symantec, McAfee, and TrendMicro sites. That concludes my guide on trojans. I've finally finished it up, and I hope it can help you protect yourself. Until next time, BTTF Man

The website which currently houses all of my signature scripts, vipersoftrunescape.com, goes down sometime in September. The new site which will contain all of the scripts (random sig script, PhpBB workaround, DynaSig) will be called bttfman.com. The directories will be different, too. So, what's the point in telling all of you users about this? Soon, you will have to change all your signatures to reflect the new site. However, this won't be until a week from now, at the least. And, besides, once the new site is ready, I will make everybody's image a message reminding them to change it to the new site. All current data shall remain intact. So, let me reiterate all of the important points: -A week from now, you'll change your sig if your using any of my services, which include the random sig script, DynaSig, and the PhpBB workaround. -The new site will be called bttfman.com. -I will make everyone's image into a reminder, so instead of seeing whatever you see now, you'll see upgrade instructions. -All current data shall remain intact. Remember, DO NOT CHANGE YOUR SIGS NOW. I WILL TELL YOU WHEN THE NEW SITE IS READY. Eh hem...thank you.

Van Halen is the best guitar group in the universe, that's all. You must buy the album 1984 to truly experience the pinnacle of their career.

I just got Terragen today and I was messing around with it and made this shot I call 'Strait of Tranquility'. Then, I went into PhotoStudio and put some text over it to make a quick sig. Rate it, please. Suggestions welcome.

10/10, because it's Van Halen. I hope you like Dave better than Sammy though...

Since you use my script could I get one :P . Nah, just kidding. But that would be nice. Too bad I blow as a sig maker. You can also go to gmail-swap.com and swap stuff for GMail invites.

I would like to get Jasc Paint Shop Pro (Photoshop is too expensive). But right now, I am messing around with ArcSoft Photostudio (which came with my camera :P) and Terragen.

Make a quickie one yourself here. God I'm tired of telling people this...

Or, make a quickie one fre, by yourself, in less than 5 minutes, here.

The random-quotes signature (it gets rotated randomly with my others, so I'll display it by itself here):

Yes, but on the new boards, random sigs don't normally work. But I found out how to get them to. That words of Wisdom thing is about 3/4 year old.

Kinda an old post (3 days), but if you go here you can make your own random sig. After you get the URL for it, go here and enter the URL, and use the one you get from there as your signature. I would not be so greedy as to keep it to myself :D

Anime series...I don't like anime so even if I gave you my opinion it wouldn't be very valid... Plot: Some person gets stranded in a computer game, and is too afraid of losing his character, so he won't kill himself to get out of the game. Anyway, okay sig, except you might want to try a different font for your name, because the font's getting old (I don't care if I use Dauphin too much, it's good).

He was using my service, so I changed his sig... 0wned! Anybody who rips images shall not use my service!

You provide the quotes and background, and I make it all work.

Ugh, the Zybez ones suck.

*sigh* I'm not creating signatures, darnit! I'm making scripts and providing hosting! As in I'm not a graphic artist but a progammer/service provider! Sorry to lash out at you, but I'm notmaking signatures!