Okay here's the deal. You probably came here cause you heard something about people thinking that some ICQ program is spying on them. First off, it's not ICQ! Let me repeat that, it's not ICQ! ICQ is perfectly fine. (well, it's not fine, but it doesn't have trojan in it.) ICKiller does have a trojan in it. It was written by some guy named graffitti, and I would apreciate it if everyone would stop writing to me telling me they have info on him, cause I don't really care. It's basic purpose was to send an ICQ user lots of messages from fake UINs. It also claimed to be able to crash ICQ if you enabled that option. This of course illustrates how insecure ICQ is, but again, that's for later.

I would just like to thank 54ur0n for all the help he's given me. He's the one who did most of the cracking, and he's the one who thought to inform McAfee as well as others. I'm not sure if he wants his real name here, but thanks a lot!

I'd also like to thank Mike for all the help he's given me. He's the one who figured out all of the active/X stuff which didn't happen to me (luckily).


the basic description

Basically, the program adds a couple of unwanted files to your computer which allow the author (graffitti) to have complete acces to your computer, better known as a backdoor or a trojan. There is also some *speculation* that it also gets your dial up networking password and sends that to him, but I'm not sure if it does or doesn't. He claims it doesn't and at the moment I'm inclined to believe him.


the semi-technical

Okay, run that ICKill program and then quit it. Notice any extra files there? Maybe one called 1.exe? Now that's not a big deal in itself, lots of programs make temporary files and forget to delete them. Maybe it holds your preferences or something? right? wrong! Hit control+alt+delete to bring up the taskbar. You'll notice 1.exe is still running in the background. This in itself isn't so bad either, you can always do a force quit. Force quit it and bring up the taskbar again and look for anythign else suspicious. Hey! what's that regedit doing open? You'll probably want to force quit that as well. Now try running 1.exe, you'll notice that it in turn opens regedit again. So far then we know that when you run ICkiller it creates 1.exe, which in turn runs regedit. When you quit ICKill both of them stay open in the background. Now for those of you who don't know regedit is the registration database in Win95/NT, if someone gets into that they can do lots of things to your computer. This of course brings up the fact that the registration database is being accessed, and possibly changed. 1.exe however also does one more thing, it creates a fake explorer in the windows/system directory and changes the registry database so that the fake explorer is run on startup. The fake explorer is the thing that does all of the nasty work like giving him a backdoor into your computer, and the registry change is what makes the fake explorer run on startup.


the slightly more technical

Okay, here's what it looks like 1.exe does. You probably already noticed that 1.exe looked a lot like explorer. In fact, if you right click on it and click on properties then you'll notice it claims to be windows explorer. Only if you click on the version tab, and then product name you'll see that it's name is in portugese. The person who wrote these tools happens to speak portugese, (as he lives in Brazil), and using a portugese copy of Win95, (portigese is spoken in Brazil instead of SPnish cause of the way the 'new world' was divided up - check your history book). Anyway, it is a hostile version of windows explorer. According to a friend of mine The ICKill program runs a self check when it runs, if it's been tampered with in any way it will launch the hostile explorer. Normally ICKiller will just create and run 1.exe in an unhostile manner, and 1.exe will then open the regedit. Regedit will open off the screen so you'll never see it. It adds an x:\windows\system\explorer.exe key to the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run section so that the fake explorer will run on startup. (With the real one).


The A-Ha! I'm not just paranoid

A little while before I put up this page I had written to the author informing him of what I had found and telling him that I thought it was wrong. I received a response and basically it said that the program didn't steal passwords, but it could. He did admit though that it accessed the regedit so that the fake explorer would run on startup instead of the real one. He also admitted that it's a backdoor. It opens up port 7789 completely. That port will now simply listen for anything that comes it's way. The fake explorer will also contact a computer (his) after 11 minutes. It then looks for a text file on the system which is in a scripting language he made. It will then run the script. Theoretically he could have your computer do anything short of sitting up and begging. He said he didn't want enemies and he doesn't steal passwords, and i'm actually inclined to believe him. Also, there are RUMORS that McAfee has now included it in their virus scans. I have also passed on the thing to several anti-virus companies, including McAfee. For refrence you can read both my letter to him and his letter to me and his letter to a 54ur0n also when 54ur0n passed on the letter to me he had some things to say which you may find revealing. Since then me and graffitti have exchanged two more letters. They aren't as usefull or revealing but you may want to read my second letter to him and his response to it. 

solutions

If you already have this program then here is what I recommend: first, delete ICkill and all of it's related files including 1.exe. Did you follow the readme and install those OCXs to the windows/system directory? if so then you should try and find the originals and delete the new ones. If you don't have the originals then it's better to just leave the cracked ones. They don't do any damage to your system, and it's better than nothing. Make sure you force quit the regedit if it's still open, and anything else that looks suspicious. Many times a second explorer will be running and you'll need to frce quit that. Also, search your computer for all copies of explorer and 1.exe. Delete all of the copies of 1.exe, and all but the original explorer. There are several ways to tell the real from the fake explorer. The easiest is that the fake in in the windows system directory will not have a capital 'e', so it will be explorer instead of Explorer. The better way to tell the original is to right click on it and click properties. The fake one has two differences. Under the version tab look at the version number. is it 4.00.0950 or 4.00.950? If it's the one with .0950 then it's probably the fake one. Also, look under product name. Does it say Sistema Operacional Microsoft® Windows® or does it say that same thing in English? The guy who wrote it is portugese and thus was using a portugese copy of explorer as his base, so we can see one of the mistakes he made. Anyway, delete all occurances of the fake explorer. Now it's time for fixing your registration database. I know, I know, without the fake explorer it won't do anything to your computer, however it's still good to get rid of all of ICKill's traces. Run regedit and go into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run you'll see a key that says Explorer x:\windows\system\explorer.exe delete that key and you're fine. As far as anyone can tell that's all it adds to the registration database. 


What's the deal with all these windows asking me to register it?

Well here's where we run into some problems with Active/X controls. It hasn't happened to very many people but it really kind of depends on what kind of system your using, whether you installed the OCXs, what other drivers you have installed, and probably a couple other variables I didn't mention. As I said before this hasn't happened to me so I'm just gong to quote everything Mike told me. For the semi-technical people here's what it does to the Active/X controls:

1) upon startup of windows 95/OSR2 caused the vbasic control (shareware 
version) to pop up every 5 minuites. Asking to register it and say ok. 
(No i didn't move the files into my windows directory)

2) Ran multiple explorer exe's , once the program was run, the 1.exe 
dissappeared and went into windows/system as explorer.exe (wrong 
location for the explorer file anyways)

3) Upon deletion of ICKill it went caotic, opening the control every 5 
seconds. Asking me to register it, annoying as hell. But upon clicking 
like crazy, i overode it.

The Active/X solution(s)

The best solution that's been figured out so far is twofold. First you'll need to seek out and destroy any extra explorers and basically do everything that is recomended above. Then you'll need to uninstall the active/X controls, then completely reinstall them. (I know it's a pain, but isn't it worth it?) 


unanswered questions

1. Well there's still the question of password stealing. The author claims that he doesn't steal passwords, someone else who cracked the program says it does. Who do you believe?


(downloaded from http://zap.to/cyberhack made by the deadman..
you can mail me at deadman99_@hotmail.com)