[Hidden Table] hxdef* openvpn* [Root Processes] hxdef* mycmd.exe mynotepad.exe openvpn* [Hidden Services] HackerDefender* openvpn* [Hidden RegKeys] HackerDefender100 LEGACY_HACKERDEFENDER100 HackerDefenderDrv100 LEGACY_HACKERDEFENDERDRV100 OpenVPN OpenVPN* openvpn* [Hidden RegValues] OpenVPN* OpenVPN [Startup Run] [Free Space] [Hidden Ports] TCP: UDP:5000 [Settings] Password=hxdef-rulez BackdoorShell=hxdef$.exe FileMappingName=_.-=[Hacker Defender]=-._ ServiceName=HackerDefender100 ServiceDisplayName=HXD Service 100 ServiceDescription=powerful NT rootkit DriverName=HackerDefenderDrv100 DriverFileName=hero.sys [Comments] ===============================[ CZECH INI HELP ]=============================== toto je inifile pro nt rootkit musi obsahovat dva seznamy souboru: [Hidden Table] a [Root Processes], seznam nazvu sluzeb: [Hidden Services], seznam nazvu klicu registru: [Hidden RegKeys], seznam nazvu hodnot registru: [Hidden RegValues], specialni seznam programu s parametry: [Startup Run], seznam disku se zmenou volneho mista: [Free Space], seznam skrytych portu [Hidden Ports] a zakladni nastaveni: [Settings] seznamy mohou byt prazdne, ale musi mit nadpisky seznamy jsou oddeleny prazdnym radkem pokud jsou zde komentare, jsou nutne oddeleny prazdnym radkem od posledniho prvku nastaveni [Settings] v seznamech [Hidden Table], [Root Processes], [Hidden Services] a [Hidden RegValues] lze pouzit zastupny znak * na konci radku you can use shortcuts %cmd%, %cmddir%, %sysdir%, %windir% and %tmpdir% in [Startup Run] list seznam [Free Space] ma format X:NUM, kde X oznacuje disk a NUM je pocet bytu, o ktery se ma rozsirit jeho volne misto seznam [Hidden Ports] je tvoren maximalne 2 radky prvni radek ma format TCP:port1,port2,port3,... druhy radek ma format UDP:port1,port2,port3,... [Settings] musi obsahovat deset hodnot: Password, BackdoorShell, FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription, DriverName a DriverFileName krome polozek [Startup Run], [Free Space] a [Hidden Ports] a hodnot za prvnim = v [Settings] se vsude ignoruji vlozene znaky |, <, >, :, \, / a ". ==============================[ ENGLISH INI HELP ]============================== this is nt rootkit inifile it must contains two file lists: [Hidden Table] and [Root Processes], a list of service names: [Hidden Services], a list of registry keys: [Hidden RegKeys], a list of registry values: [Hidden RegValues], special list of programs with arguments: [Startup Run], a list of disks with free space change: [Free Space] a list of hidden ports [Hidden Ports] and basic settings: [Settings] lists can be empty, but there must be the heading lists are divided by clean line there must be clean line after last [Settings] item if there is comment below you can use * as a wildcard in [Hidden Table], [Root Processes], [Hidden Services] and [Hidden RegValues] you can use shortcuts %cmd%, %cmddir%, %sysdir%, %windir% and %tmpdir% in [Startup Run] list [Free Space] list format is X:NUM where X stands for drive letter and NUM is the number of bytes that will be added to its number of free bytes [Hidden Ports] list has at most 2 lines first line format is TCP:port1,port2,port3,... second line format is UDP:port1,port2,port3,... [Settings] must contains eight values: Password, BackdoorShell, FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription, DriverName and DriverFileName extra characters |, <, >, :, \, / and " are ignored on all lines except [Startup Run], [Free Space] and [Hidden Ports] items and values in [Settings] after first = character.