Since i like SpyEye i've tryed to make a working unpacked version.
But i sucks for unpacking stuff, and more when i need to fix the code :'(
so, if someone is good... contact me :)
Like ZeuS, SpyEye is protected by VM Protect And seem compiled with Visual C++ 8.0 (Visual Studio 2005)
So when unpacked (API's not fixed) i've played with the ressource file, here is the stuff:
DIALOG - 102
102 DIALOGEX 0, 0, 513, 362
STYLE DS_FIXEDSYS | DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "SpyEye Builder v1.0.6"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 8, "MS Shell Dlg"
{
}
The caption says "SpyEye Builder v1.0.6" but the version is v1.1.39, gribodemon (Author of SpyEye) seem a lazyyy guys.. :)STYLE DS_FIXEDSYS | DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "SpyEye Builder v1.0.6"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 8, "MS Shell Dlg"
{
}
VERSION INFO - 1
1 VERSIONINFO
FILEVERSION 1,0,0,1
PRODUCTVERSION 1,0,0,1
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
BLOCK "040904e4"
{
VALUE "CompanyName", "SpyEye Corp."
VALUE "FileDescription", "Builder for SpyEye bot"
VALUE "FileVersion", "1.0.0.1"
VALUE "InternalName", "builder.exe"
VALUE "LegalCopyright", "(c) SpyEye Corp.. All rights reserved."
VALUE "OriginalFilename", "builder.exe"
VALUE "ProductName", "TODO: SpyEye"
VALUE "ProductVersion", "1.0.0.1"
}
}
BLOCK "VarFileInfo"
{
VALUE "Translation", 0x0409 0x04E4
}
}
So it's the version 1.0.0.1 now ? :)FILEVERSION 1,0,0,1
PRODUCTVERSION 1,0,0,1
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
BLOCK "040904e4"
{
VALUE "CompanyName", "SpyEye Corp."
VALUE "FileDescription", "Builder for SpyEye bot"
VALUE "FileVersion", "1.0.0.1"
VALUE "InternalName", "builder.exe"
VALUE "LegalCopyright", "(c) SpyEye Corp.. All rights reserved."
VALUE "OriginalFilename", "builder.exe"
VALUE "ProductName", "TODO: SpyEye"
VALUE "ProductVersion", "1.0.0.1"
}
}
BLOCK "VarFileInfo"
{
VALUE "Translation", 0x0409 0x04E4
}
}
Images file:
BCK.PNG:
INFECTED.PNG
LINE.GIF:
MEDIC.PNG:
SPYLOGO.PNG:
UP.PNG:
PNGFIX.JS:
/*
Correctly handle PNG transparency in Win IE 5.5 & 6.
http://homepage.ntlworld.com/bobosola. Updated 18-Jan-2006.
Use in <HEAD> with DEFER keyword wrapped in conditional comments:
<!--[if lt IE 7]>
<script defer type="text/javascript" src="pngfix.js"></script>
<![endif]-->
*/
var arVersion = navigator.appVersion.split("MSIE")
var version = parseFloat(arVersion[1])
if ((version >= 5.5) && (document.body.filters))
{
for(var i=0; i<document.images.length; i++)
{
var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
{
var imgID = (img.id) ? "id='" + img.id + "' " : ""
var imgClass = (img.className) ? "class='" + img.className + "' " : ""
var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
var imgStyle = "display:inline-block;" + img.style.cssText
if (img.align == "left") imgStyle = "float:left;" + imgStyle
if (img.align == "right") imgStyle = "float:right;" + imgStyle
if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
var strNewHTML = "<span " + imgID + imgClass + imgTitle
+ " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
+ "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
+ "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
img.outerHTML = strNewHTML
i = i-1
}
}
}
Correctly handle PNG transparency in Win IE 5.5 & 6.
http://homepage.ntlworld.com/bobosola. Updated 18-Jan-2006.
Use in <HEAD> with DEFER keyword wrapped in conditional comments:
<!--[if lt IE 7]>
<script defer type="text/javascript" src="pngfix.js"></script>
<![endif]-->
*/
var arVersion = navigator.appVersion.split("MSIE")
var version = parseFloat(arVersion[1])
if ((version >= 5.5) && (document.body.filters))
{
for(var i=0; i<document.images.length; i++)
{
var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
{
var imgID = (img.id) ? "id='" + img.id + "' " : ""
var imgClass = (img.className) ? "class='" + img.className + "' " : ""
var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
var imgStyle = "display:inline-block;" + img.style.cssText
if (img.align == "left") imgStyle = "float:left;" + imgStyle
if (img.align == "right") imgStyle = "float:right;" + imgStyle
if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
var strNewHTML = "<span " + imgID + imgClass + imgTitle
+ " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
+ "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
+ "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
img.outerHTML = strNewHTML
i = i-1
}
}
}
STYLE.CSS:
a:link {
color: rgb(0,64,192);
}
a:visited {
color: rgb(128,128,128);
}
a:active {
color: rgb(0,192,128);
}
body {
font-family: Verdana;
font-size: 10px;
background-image: url('bck.png');
}
input, textarea {
border: 1px;
border-color: gray;
border-style: solid;
font-family: Verdana;
font-size: 10px;
}
table {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 10px;
border: 0;
}
h1 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 24 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
h2 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 16 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
h3 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 12 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
.comment {
font-family: Verdana;
color: rgb(128,128,128);
font-size: 10px;
margin: 0;
padding: 0;
font-weight: normal;
}
.error {
font-family: Verdana;
font-weight: bold;
color: RGB(255, 0, 0);
font-size: 10px;
}
.warning {
font-family: Verdana;
font-weight: bold;
color: RGB(225, 225, 0);
font-size: 10px;
}
.ok {
font-family: Verdana;
font-weight: bold;
color: RGB(0, 225, 0);
font-size: 10px;
}
.disabled {
color: #BBBB33;
}
.div_main {
background-color: #F7F7F7;
width: 740px;
border: solid 1px black;
padding: 10px;
margin: 0px;
}
.div_smmain {
background-color: #F7F7F7;
width: 500px;
border: solid 1px black;
padding: 10px;
margin: 0px;
}
.div_beta {
position: absolute;
top: 0px;
right: 0px;
}
color: rgb(0,64,192);
}
a:visited {
color: rgb(128,128,128);
}
a:active {
color: rgb(0,192,128);
}
body {
font-family: Verdana;
font-size: 10px;
background-image: url('bck.png');
}
input, textarea {
border: 1px;
border-color: gray;
border-style: solid;
font-family: Verdana;
font-size: 10px;
}
table {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 10px;
border: 0;
}
h1 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 24 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
h2 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 16 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
h3 {
font-family: Verdana;
color: rgb(102,102,102);
font-size: 12 px;
margin: 0px, 0px, 0px, 0px;
padding: 0px, 0px, 0px, 0px;
font-weight: normal;
}
.comment {
font-family: Verdana;
color: rgb(128,128,128);
font-size: 10px;
margin: 0;
padding: 0;
font-weight: normal;
}
.error {
font-family: Verdana;
font-weight: bold;
color: RGB(255, 0, 0);
font-size: 10px;
}
.warning {
font-family: Verdana;
font-weight: bold;
color: RGB(225, 225, 0);
font-size: 10px;
}
.ok {
font-family: Verdana;
font-weight: bold;
color: RGB(0, 225, 0);
font-size: 10px;
}
.disabled {
color: #BBBB33;
}
.div_main {
background-color: #F7F7F7;
width: 740px;
border: solid 1px black;
padding: 10px;
margin: 0px;
}
.div_smmain {
background-color: #F7F7F7;
width: 500px;
border: solid 1px black;
padding: 10px;
margin: 0px;
}
.div_beta {
position: absolute;
top: 0px;
right: 0px;
}
104 (seem the interface):
<HTML>
<HEAD>
<link href="style.css" type=text/css rel=stylesheet>
</HEAD>
<BODY ID=CbuilderDlg >
<center>
<div id="div_main" class="div_main">
<img src="spylogo.png" width="474px" height="100px" alt="SpyEye logo" title="SpyEye logo" />
<hr size='1' color='#CCC'>
<table cellspacing="0" cellpadding="0" border="0" width='100%'>
<tr>
<td width="250px">Path to the main control panel:</td>
<td><input id=tPathToMainControlPanel type=text style="width:450px" value="http://www.yourbotnet.cn/spyeye/main/gate.php" /></td>
</tr>
<tr>
<tr>
<td width="250px"><i>Alternative path to the main control panel</i>:</td>
<td><input id=tPathToMainControlPanel2 type=text style="width:450px" value="http://www.yourbotnet2.cn/spyeye/main/gate.php" /></td>
</tr>
<tr>
<td width="250px">Path to the <b>SpyEye Collector</b>:</td>
<td><input id=tPathToFormgrabberControlPanel type=text style="width:450px" value="1.2.3.4:443" /></td>
</tr>
<tr>
<td width="250px"><b>Encryption key</b>:</td>
<td><input id=tEncryptionKey type=text style="width:300px" value="Your Enc. Key" /></td>
</tr>
<tr>
<td width="250px">Connector interval <i>(sec)</i>:</td>
<td><input id=tConnectorInterval type=text style="width:50px" value="300" /></td>
</tr>
<tr>
<td width="250px">Compress build by <b>UPX v3.04w</b>:</td>
<td><input id=cUPX type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px">Kill <b>Zeus</b>:</td>
<td><input id=cKillZeus type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px">Clear cookies every startup <i>(IE, FF)</i>:</td>
<td><input id=cClearCookies type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px"><b>WebInjects.txt</b> <i>(Zeus format)</i>:</td>
<td><input type="file" id="tWebInjects" style="width:400px;"></td>
</tr>
<tr>
<td colspan="2" align=center>...</td>
</tr>
<tr>
<td width="250px"><b>Screenshots.txt</b>:</td>
<td><input type="file" id="tScreenshots" style="width:400px;"></td>
</tr>
<tr>
<td colspan="2" align=center>...</td>
</tr>
<tr>
<td width="250px"><b>Plugin #1</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin1" style="width:400px;"></td>
</tr>
<tr>
<td width="250px"><b>Plugin #2</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin2" style="width:400px;"></td>
</tr>
<tr>
<td width="250px"><b>Plugin #3</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin3" style="width:400px;"></td>
</tr>
</table>
<br>
<table cellspacing="0" cellpadding="0" border="0" width='100%'>
<tr>
<td><img id="bLoadConfig" src="up.png" alt="Load config" title="Load config from settings.ini" /></td>
<td align=center><input type=button value="Make config & get build" id=bMakeBuild /></td>
</tr>
</table>
<!--<br><div id=dBuildResult style="text-align:left" ></div>-->
<br><div id=dBuildButton style="text-align:center" ></div>
<hr size='1' color='#CCC'>
<script language=javascript>
function recheckInfected() {
document.getElementById('bCheckInfected').click();
alert('Check autorun by msconfig.exe or smth, and, remove files of bot manually (if you need it)');
}
</script>
<input type=hidden onclick="setTimeout('recheckInfected();', 3000);" id=bRecheckInfected />
<input type=button value="Are you infected by SpyEye?" id=bCheckInfected />
<div id="dInfectedResult"></div>
</div>
</center>
</BODY>
</HTML>
<HEAD>
<link href="style.css" type=text/css rel=stylesheet>
</HEAD>
<BODY ID=CbuilderDlg >
<center>
<div id="div_main" class="div_main">
<img src="spylogo.png" width="474px" height="100px" alt="SpyEye logo" title="SpyEye logo" />
<hr size='1' color='#CCC'>
<table cellspacing="0" cellpadding="0" border="0" width='100%'>
<tr>
<td width="250px">Path to the main control panel:</td>
<td><input id=tPathToMainControlPanel type=text style="width:450px" value="http://www.yourbotnet.cn/spyeye/main/gate.php" /></td>
</tr>
<tr>
<tr>
<td width="250px"><i>Alternative path to the main control panel</i>:</td>
<td><input id=tPathToMainControlPanel2 type=text style="width:450px" value="http://www.yourbotnet2.cn/spyeye/main/gate.php" /></td>
</tr>
<tr>
<td width="250px">Path to the <b>SpyEye Collector</b>:</td>
<td><input id=tPathToFormgrabberControlPanel type=text style="width:450px" value="1.2.3.4:443" /></td>
</tr>
<tr>
<td width="250px"><b>Encryption key</b>:</td>
<td><input id=tEncryptionKey type=text style="width:300px" value="Your Enc. Key" /></td>
</tr>
<tr>
<td width="250px">Connector interval <i>(sec)</i>:</td>
<td><input id=tConnectorInterval type=text style="width:50px" value="300" /></td>
</tr>
<tr>
<td width="250px">Compress build by <b>UPX v3.04w</b>:</td>
<td><input id=cUPX type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px">Kill <b>Zeus</b>:</td>
<td><input id=cKillZeus type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px">Clear cookies every startup <i>(IE, FF)</i>:</td>
<td><input id=cClearCookies type=checkbox style="border:0px" /></td>
</tr>
<tr>
<td width="250px"><b>WebInjects.txt</b> <i>(Zeus format)</i>:</td>
<td><input type="file" id="tWebInjects" style="width:400px;"></td>
</tr>
<tr>
<td colspan="2" align=center>...</td>
</tr>
<tr>
<td width="250px"><b>Screenshots.txt</b>:</td>
<td><input type="file" id="tScreenshots" style="width:400px;"></td>
</tr>
<tr>
<td colspan="2" align=center>...</td>
</tr>
<tr>
<td width="250px"><b>Plugin #1</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin1" style="width:400px;"></td>
</tr>
<tr>
<td width="250px"><b>Plugin #2</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin2" style="width:400px;"></td>
</tr>
<tr>
<td width="250px"><b>Plugin #3</b> <i>DLL</i:</td>
<td><input type="file" id="tPlugin3" style="width:400px;"></td>
</tr>
</table>
<br>
<table cellspacing="0" cellpadding="0" border="0" width='100%'>
<tr>
<td><img id="bLoadConfig" src="up.png" alt="Load config" title="Load config from settings.ini" /></td>
<td align=center><input type=button value="Make config & get build" id=bMakeBuild /></td>
</tr>
</table>
<!--<br><div id=dBuildResult style="text-align:left" ></div>-->
<br><div id=dBuildButton style="text-align:center" ></div>
<hr size='1' color='#CCC'>
<script language=javascript>
function recheckInfected() {
document.getElementById('bCheckInfected').click();
alert('Check autorun by msconfig.exe or smth, and, remove files of bot manually (if you need it)');
}
</script>
<input type=hidden onclick="setTimeout('recheckInfected();', 3000);" id=bRecheckInfected />
<input type=button value="Are you infected by SpyEye?" id=bCheckInfected />
<div id="dInfectedResult"></div>
</div>
</center>
</BODY>
</HTML>
Packed builder: 1,71 Mb (1 794 048 bytes)
Unpacked builder: 4,07 Mb (4 272 128 bytes)
--
Packed version (VT Result): 12/ 43 (27.9%) - Submission date: 2010-10-30
Detected by most of all by "Trojan"
Unpacked version(VT Result): 9/ 43 (20.9%) - Submission date: 2010-10-30
Detected by most of all by "Suspicious"
No comments:
Post a Comment