
  Guide.txt ==> How To Use CONFIG.EXE
  =========
       [A simple Guide for making changes in your default.cbr file!]

  NOTE: MAKE SURE THAT YOU USE THE BoSpy CONFIG.EXE program TO MAKE THESE
  CHANGES!  DO NOT use a text editor on the default.cbr file!  Also make
  sure that the line-returns (<ENTER> keystrokes) are placed correctly.

  Start the CONFIG.EXE program, then use the OPEN button to select the file
					     ===========
  "default.cbr" which loads the data into the editor.  You should now see
  the line:
		   App 0:'$$1' spawned on port $$2

  in the Config program's edit window.  Using the pull-down menu at the top
 (says: "App add"), select "System passwords" and you should see the 
  following in the edit window:

Password cached by system:
index:01(06) len:42(26/72)
Resource: '*Rna\Netcom\ca,ppp,chaplin'  Password: 'thehacker'
index:08(04) len:18(05/52)
Resource: 'www.angelfire.com/id/chaplinhack'  Password: 'thehacker'
index:08(05) len:18(12/42)
Resource: 'Rna\Total.net\ca,ppp,chaplin'  Password: 'chaplin'
index:08(05) len:18(15/12)
Resource: 'MAPI'  Password: 'MAPI'
End of cached passwords.
ScreenSaver Password: 'hacker'

  These are the default lines built into Chaplin Corp's program...  Any
  experienced cracker should terminate his internet connection if he sees
  this...  BUT we don't want him too!  We want him to spend as much time
  as possible in order to catch him trying to break into our computer...

  (Using ONLY the "Ping Host" command of Back Orifice may be considered an
  illegal activity by some ISPs, but the more time a cracker spends sending
  commands to you, the better the chances are that your log record, sent to
  his ISP, will convince them to remove him from their service!!)  So, the
  next section gives you some ideas on changing this data...

  Don't forget to click on the SAVE button after entering your changes!
			       ===========
  NOTE that you can ALSO create many different .cbr files to use with the
  bospy.exe program, or simply to make back-up files of your creative
  changes, by using the SAVE AS button.
			==============
  The DEFAULT button loads the original default.cbr data into ONLY the item
      ==============
  (BO command response) selected in the pull-down menu...    it does _NOT_
  restore all of the original data at once!  (The best way to do THAT would
  be to extract "default.cbr" from the .ZIP file again.)

---------------------------------------------------------------------------
  Common Password Data   (The "System Passwords" command)
  ====================
  One of the very first things you should do is change the Password data!
  =======================================================================
     You may wish to add a line containing your ISP's name, a fake member
  name and a bogus password to fool the cracker into thinking he's got a
  good chance of stealing another account! (Since he's already pinging on
  the name of your ISP anyway, you're not giving anything away by listing
  it here.)   It wouldn't really have to match your ISP though, since the
  cracker wouldn't know if you had just switched ISPs without saving your
  new data.   Change PUT_ISP_HERE to your ISP name, MEMBER_NAME_HERE to a
  fake membername, and ANYTHING to a made up Password.  And in the phrase
  "len:42(xx/72)" change the xx to the number of characters between the
  two quote marks ('') including the "*RNA\" and the second "\".
  For example, '*RNA\CyberOn1\user3' would be 19 characters.  Notice that
  the "index" for an item is listed just above its "Resource" and that you
  should have them start with 00, 01, 02, etc. but they don't have to be
  in order in the listings.  (NOTE: Keeping it simple may be the best.)

  EXAMPLES:
---------------------------------------
Password cached by system:
index:01(06) len:34(20/52)
Resource: '*Rna\Microsoft Internet Referral Service\icwsignup'  Password: 'icwsignup'
index:02(06) len:42(xx/72)
Resource: '*Rna\PUT_ISP_HERE\MEMBER_NAME_HERE'  Password: 'ANYTHING'
index:00(04) len:18(05/52)
Resource: 'MAPI'  Password: 'MAPI'
End of cached passwords.
Unable to read value 'ScreenSave_Data'
---------------------------------------
Password cached by system:
index:01(06) len:34(20/52)
Resource: 'crypt_Blizzard_Storm'  Password: '=b'
index:03(06) len:68(50/92)
Resource: '*Rna\Microsoft Internet Referral Service\icwsignup'  Password: 'icwsignup'
index:00(06) len:42(xx/72)
Resource: '*Rna\PUT_ISP_HERE\MEMBER_NAME_HERE'  Password: 'ANYTHING'
index:02(04) len:18(05/52)
Resource: 'MAPI'  Password: 'MAPI'
End of cached passwords.
ScreenSaver password: 'PASSWORD!'
---------------------------------------
Password cached by system:
index:01(06) len:34(20/52)
Resource: 'crypt_Blizzard_Storm'  Password: '''
index:255(128) len:68(33/162)
Resource: 'DiskCacheDPAMSAPListZoneMSAPEntry'  Password: ',1WӴ5'
index:00(06) len:34(xx/62)
Resource: '*Rna\PUT_ISP_HERE\MEMBER_NAME_HERE'  Password: 'ANYTHING'
End of cached passwords.
ScreenSaver password: 'BADDUDE'
---------------------------------------
Password cached by system:
index:00(06) len:34(20/52)
Resource: 'crypt_Blizzard_Storm'  Password: '}f'
index:03(06) len:38(25/52)
Resource: 'crypt_CM Crypto Container'  Password: '--Xߝ'
index:255(128) len:30(21/02)
Resource: 'The Microsoft Network'  Password: '43,6253@'
index:01(06) len:30(13/82)
Resource: '*Rna\MSN\MSN/'  Password: 'password'
index:04(06) len:34(xx/62)
Resource: '*Rna\PUT_ISP_HERE\MEMBER_NAME_HERE'  Password: 'ANYTHING'
index:02(06) len:52(35/92)
Resource: '*Rna\MSN Temporary Dialer\icwsignup'  Password: 'icwsignup$'
End of cached passwords.
Unable to read value 'ScreenSave_Data'
---------------------------------------------------------------------------



  Common Computer Names   (The "Ping Host" command)
  =====================
  COMPAQ, DEFAULT, DELL
  MICRON, OEMCOMPUTER,
  PAVILION, USER.

  DEFAULT and OEMCOMPUTER are quite common, but many people often change it
  to something else; such as their own name(s), the model of the computer,
  CPU type, or even a ham radio call sign.  We chose the word, "DEFAULT" as
  being the best choice for our _default file_ (seemed appropriate!):

     !PONG!1.20!DEFAULT!    You can change this to: !PONG!1.20!OEMCOMPUTER!

  or any other name you wish AS LONG AS you place it BETWEEN THE LAST TWO
  exclamation marks (! !).
---------------------------------------------------------------------------
  


  Common Data in System Info   (The "System Info" command)
  ==========================
  The following is taken from our default.cbr file:

-------------------------------------
System info for machine 'DEFAULT'
Current user: 'John'
Processor: I586
Win32 on Windows 95 v4.0 build 1111 -  B
Memory: 31M in use: 97%  Page file: 498M free: 476M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 498663424/2146631680
D:\ - CD-ROM
End of system info
-------------------------------------

    First note that the machine name must match the name in the Ping Host
  command.  IF you changed 'DEFAULT' to 'OEMCOMPUTER' in the "Ping Host"
  command, then you MUST change it here too!  John is a common name, but
  you should change it to something else to keep those crackers guessing!
  If you use the word PAVILION as your computer name, then you could use
  'HP Authorized Customer' here.

  Original Win95 machines are:  Win32 on Windows 95 v4.0 build 950
  The Win98's are:              Win32 on Windows 95 v4.10 build 1998 -
  And OEM's are usually:        Win32 on Windows 95 v4.0 build 1111 -  B

  Here are some actual data files [false names] you can use as samples to 
  make your own convincing "System Info" lines:

-------------------------------------
System info for machine 'MAIN'
Current user: 'jeff'
Processor: I586
Win32 on Windows 95 v4.0 build 950
Memory: 23M in use: 99%  Page file: 592M free: 571M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 598802432/2109472768
D:\ - CD-ROM
End of system info
-------------------------------------
System info for machine 'JULIE'
Current user: 'julie'
Processor: I586
Win32 on Windows 95 v4.0 build 950
Memory: 95M in use: 45%  Page file: 213M free: 213M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 223969280/2146631680
D:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 1476788224/1709047808
E:\ - CD-ROM
End of system info
-------------------------------------
System info for machine 'LAPTOP'
Current user: 'ALICE'
Processor: I586
Win32 on Windows 95 v4.0 build 950
Memory: 23M in use: 100%  Page file: 279M free: 247M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 259391488/1442775040
End of system info
-------------------------------------
System info for machine '995610H'
Current user: 'George'
Processor: I586
Win32 on Windows 95 v4.0 build 1111 -  B
Memory: 15M in use: 100%  Page file: 83M free: 69M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 71991296/1079476224
D:\ - CD-ROM
End of system info
-------------------------------------
System info for machine 'DEFAULT'
Current user: 'jerry johnson'
Processor: I586
Win32 on Windows 95 v4.10 build 1998 -
Memory: 95M in use: 54%  Page file: 1952M free: 1921M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512,  Bytes free: 2147155968/2147155968
D:\ - CD-ROM
End of system info
---------------------------------------------------------------------------


    THE PROCESS LIST   ("Process List" command)
    ================
  The following is the default.cbr file's Process list.  Whatever you do
  here, MAKE SURE that you do NOT remove "C:\WINDOWS\SYSTEM\ .EXE" from the
  listing (the name of the BO trojan which is SUPPOSED to be running on 
  your computer!).  Change the last six or seven digits of a "pid" number
  or start a new series of numbers to confuse crackers viewing this file.
  Change the line order.  Change the NETSCAPE line to an MSIE.EXE line and
  remove NSNOTIFY.EXE, or whatever.  You get the idea!  But remember, there
  is a limit of only 800 bytes you can place in any of these lists!

-------------------------------------------------------------------
  pid  -    Executable
4291802877 C:\WINDOWS\SYSTEM\KERNEL32.DLL
4290796457 C:\WINDOWS\SYSTEM\MSGSRV32.EXE
4290791973 C:\WINDOWS\SYSTEM\MPREXE.EXE
4290839329 C:\WINDOWS\SYSTEM\mmtask.tsk
4290852241 C:\WINDOWS\EXPLORER.EXE
4290902265 C:\WINDOWS\SYSTEM\SYSTRAY.EXE
4290879149 C:\WINDOWS\SYSTEM\LOADWC.EXE
4290910081 C:\WINDOWS\QUICKRES.EXE
4290910565 C:\NETSCAPE\PROGRAM\NSNOTIFY.EXE
4290904289 C:\WINDOWS\SYSTEM\ .EXE
4294732449 C:\WINDOWS\SYSTEM\DDHELP.EXE
4294240185 C:\WINDOWS\SYSTEM\RNAAPP.EXE
4278779641 C:\WINDOWS\SYSTEM\TAPISRV.EXE
4203132429 C:\PROGRAM FILES\ICQ\ICQ.EXE
4294742757 C:\PROGRAM FILES\NETSCAPE\NAVIGATOR\PROGRAM\NETSCAPE.EXE
End of processes
---------------------------------------------------------------------------


  (The "Directory List" command)
   ============================
  Chaplin Corp's first "default.cbr" file simply showed an error message
  in response to this command.  It now has a number of the real file names
  that would normally be listed in the root directory. (Unfortunately, the
  size of the response is still limited to only 800 bytes. Including the
  blank spaces!)

-------------------------------------------------------------
Contents of directory $$1
                  5166 --H-R-- 01-01-01 1184:02 SUHDLOG.DAT
                  1641 -AH-RS- 10-14-98 10:42 MSDOS.SYS
                 93812 -A----- 01-01-01 1184:02 COMMAND.COM
                   472 -A----- 01-01-01 1184:02 SCANDISK.LOG
                     3 -A----- 04-24-98 15:22 CONFIG.SYS
                     0 D------ 01-01-01 1184:02 WINDOWS
                     0 D-H--S- 04-27-98 19:05 RECYCLED
    PROGRA~1         0 D---R-- 01-01-01 1184:02 Program Files
                  1630 --H---- 01-01-01 1184:02 MSDOS.---
                 64933 -AH---- 01-01-01 1184:02 SETUPLOG.TXT
                214836 --H-RS- 01-01-01 1184:02 IO.SYS
-------------------------------------------------------------

 EOF. The Starman. 05/20/99.
