ZeuS Readme - EN

1. Thanks sami ( http://www.opensc.ws/trojan-malware-samples/14648-zeus-source-code-10.html#post128913 ).
2.  
3.  
4. 3rd paragraph:
5.  
6. Setting up the bot
7. Step by step installation:
8. 1) From your existing package build, run the file 'local \ cp.exe', it
9. Builder file konifguratsii and bot
10. 2) Open the 'Builder'. Click 'Browse' and specify where the file
11. configuration, the name of the MDM 'local \ config.txt'.
12. 3) Click 'Edit config', as a result should start text
13. editor. Migrate file like so:
14.  
15. First:
16. The original configuration file is a text file encoding
17. Windows, and only needed to create the final configuration file
18. (Which is a binary file to upload bot) and very
19. Bot. In your bag build a sample configuration file must be located in
20. folder 'local' and have a name config.txt. Open the file can be in any
21. a text editor like 'Notepad' (Notepad).
22.  
23. The file consists of entries, one entry in a row. Record also consists of
24. parameters, first parameter typically defines the name of the record (but it is not
25. always the case, for example, in cases when there is a listing of any data
26. name is not). Options are separated by spaces, if in fact
27. parameter found a space, or tab, this option should be
28. enclosed in double quotes ("), is also usually applied to the name.
29. The number of parameters is not restricted, as if the record has a name, it is
30. read-insensitive
31. Examples:
32. username Kot Matroskin
33. record name - username, option 1 - Kot, option 2 - Matroskin.
34.  
35. username "James" Bond "
36. record name - username, option 1 - James, option 2 - Bond.
37.  
38. username "Volodia Putin"
39. record name - username, option 1 - Volodia Putin.
40.  
41. "Url" "http://sex.com/" index.php
42. record name - url, option 1 - http://sex.com/, option 2 -
43. index.php
44.  
45. There are also special names of records that can share the file
46. configurations as you like subsections, which may contain within
47. yourself plenty of subdivisions and records. They are called partitions and
48. consist of a name entry, and the parameter defining the section title
49. (Register is also not included in this option), the end of the same section
50. be indicated by end. Further documentation subentries
51. with respect to subsections will will mark a - ". Ie recording
52. name owned by username section userdata, will be designated as
53. userdata-> username, etc.
54.  
55. Examples:
56. entry "userdata"
57. fname "petia"
58. lname "lolkin"
59. end
60.  
61. entry compdata
62. name "pcvasya"
63. entry devices - the contents of the section, example, when the records do not have a name,
64. here is just an enumeration of devices.
65. cdrom
66. "Hdd"
67. fdd
68. end
69. end
70.  
71. There is also the ability to insert comments, the comment must
72. be on a separate line and begin with ";". If
73. it turns out that the first parameter in the record also begins with ";", then this
74. parameter must be enclosed in quotation marks.
75.  
76. Examples:
77. ; Hello.I think that I'm hero!
78. ; How are you /-it does not record
79. "; I love you" - but that's recording.
80.  
81. Second:
82. Configuration file entries
83. The file consists of two sections StaticConfig and DynamicConfig.
84.  
85. StaticConfig, the value of this section are written directly to the file
86. bot, ie in the exe, and define the basic behavior of a bot on your computer
87. victim.
88. Depending on your build, some details may not be for you
89. values, all important parameters prescribed in the example, attached to
90. package assembly.
91. botnet [string] - Specifies the name of a botnet, which belongs to the boat.
92. string - the name of a botnet, up to 4 characters, or 0 - to values
93. default.
94.  
95. Recommended value: botnet 0
96.  
97. timer_config [number1] [number2] - defines the time intervals through
98. which should be obtained updatings configuration file.
99. number1 - Specifies time in minutes after which you should update the file
100. configuration, in cases of successful upload last time.
101. number2 - Specifies time in minutes after which you should update the file
102. configuration in case of an error when booting the previous time.
103.  
104. Recommended value: timer_config 60 5
105.  
106. timer_logs [number1] [number1] - defines the time intervals through
107. which should be sent to the accumulated logs on the server.
108. number1 - Specifies the time in minutes through which to ship logs,
109. in cases successfully sent last time.
110. number2 - Specifies the time in minutes through which to ship logs,
111. In case of error when sending the previous time.
112.  
113. Recommended value: timer_logs February 2
114.  
115. timer_stats [number1] [number2] - defines the time intervals through
116. which should send statistics to the server. (Which includes inastally,
117. presence in the online, open ports, services, socks, screenshots, etc.)
118. number1 - Specifies the time in minutes through which to ship
119. statistics, in cases successfully sent last time.
120. number2 - Specifies the time in minutes through which to ship
121. statistics, in the case of an error when sending previous file again.
122.  
123. Recommended value: timer_logs October 20
124.  
125. url_config [url] - URL of which is the main configuration file,
126. parametor this is the most important, if the infection kompyuetra
127. victim of a URL will not be available this configuration, the contamination does not
128. is meaningless.
129.  
130. url_compip [url] [number] - specifies the site where you can verify
131. its IP, is used to determine NAT.
132. url - specifies the URL of the site
133. number - determines kolichetsvo bytes, which is enough to download from the site
134. to see in the downloaded its IP.
135.  
136. blacklist_languages ​​[number1] [number2 ]...[ chisloX] - defines a list of
137. language codes, Windows, for which the bot will always be in spyashem
138. rehearse, ie it will not send logs and statistics, but will seek
139. to the configuration file.
140. chisloX - language code, such as RU - 1049, EN - 1033.
141.  
142. DynamicConfig, the value of this section are written in the destination file
143. configuration.
144. Depending on your build, some details may not be for you
145. values, all important parameters prescribed in the example, attached to
146. package assembly.
147. url_loader [url] - specifies the URL, by which you can download the update
148. Bot. This option is relevant only if you run a botnet, a new
149. version of the bot and prescribed configuration of it under the same URL, the old one
150. configuration, in this case, older versions of the bot will start to renew itself,
151. downloading a file, specified in this record.
152.  
153. url_server [url] - specifies the URL, which will be sent to
154. statistics, files, logs, etc. with the victim's computer.
155.  
156. file_webinjects - specifies the local file, which is
157. a list of Web izhektov. Description of the format of this file can be found here
158.  
159. Subdivision AdvancedConfigs - lists the URL, which can be
160. download the backup configuration file in case of no availability of basic
161. file. Encouraged to complete this sub-section 1-3 URL, which will
162. botnet save from destruction in case of unavailability of the main file
163. configuration, resulting in easy transfer it to another server.
164. Mandatory availability of files on that URL is not required, then the main thing to have
165. opportunity to put the files on that URL. Files should stir it
166. Only after the discovery of the main configuration file is not available if
167. you always want to have the files on this URL, it should be updated
168. them all in sync with the main configuration file. Backup files
169. do not do not differ from the ground, and created the same way.
170.  
171. Example:
172. entry "AdvancedConfigs"
173. "Http://url1/cdffd.ccc"
174. "Http://url2/cdf34.dc"
175. end
176.  
177. Subdivision WebFilters - has two purposes:
178. enumerates a list of masks URL, which must be recorded or
179. excluded from the log, regardless of the type of request (GET, POST). If
180. first character of the mask is '', then the coincidence of the URL with this mask,
181. entry in the log will be produced (eg mask! "*" to prohibit entry
182. All URL, except those listed before it).
183. Sets the mask URL, at the beginning of treatment to which will be created
184. screenshots of pressing the left mouse button (useful for crawling
185. Virtual keyboards). This mask URL should begin with '@' character.
186. Note: the URL listed in this section ignore the value
187. parameter StaticConfig.ignore_http
188.  
189. Example:
190. entry "WebFilters"
191. , The log will be written all the URL matches this mask.
192. "Http://www.google.com/ *"
193. , The log will not write all the URL matches this mask.
194. "! Http:// * yahoo.com / *"
195. ; After the opening of this page will be created in the screenshots
196. click the left mouse button.
197. "@ Http://www.rambler.ru/"
198. end
199.  
200. Subdivision WebFakes - lists the transparent URL-redirects (Fake
201. sites), a detailed description of this section is here
202.  
203. Subdivision TanGrabber - define rules for the TAN-grabber, a detailed
204. description of this section is here
205.  
206. Subdivision DnsMap - a list of DNS changes to be made in
207. file% system32% \ drivers \ etc \ hosts.
208. Recording format: [IP] [domain].
209. IP - the new IP domain.
210. domain - the domain name for which changes IP. If the domain name begins with
211. symbol '', then this domain will have Dahlen from the file, of course, if he
212. there will be found. The parameter is ignored and the IP can be anything.
213.  
214. Example:
215. entry "dnsmap"
216. 127.0.0.1 microsoft.com
217. 192.168.0.1 google.com
218. 0.0.0.0! Yahoo.com
219. end
220. Third:)
221. Then save the file.