Security Basics mailing list archives

RE: New Trojan?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 1 Jul 2004 10:41:58 -0700

1)Check your host file %windir%\system32\drivers\etc\hosts
and lmhost.sam


  The 'hosts.sam' and 'lmhosts.sam' files are SAMples, included
with the OS, of what live content in a 'hosts' or 'lmhosts' file
could look like.  DO NOT bother checking the .sam versions of
these files, since the OS ignores them!

David Gillett

-----Original Message-----
From: vrsnet () pandora be [mailto:vrsnet () pandora be]
Sent: Saturday, November 20, 2004 3:54 PM
To: security-basics () securityfocus com
Subject: Re: New Trojan?

1)Check your host file %windir%\system32\drivers\etc\hosts
and lmhost.sam
2)If that doesn't help do a search in the windir for files
!containing! the
url (best option is to search for netidentity.com)
  These will be mostly like this: hjkfqshkfjqh.xxx
  Then use wholockme or foundstone tools or filemonitor to
find out wich
programs run or use these files.
success

----- Original Message -----
From: "Jeff" <Jeff@Not_A_Real_Address.com.telenet-ops.be>
To: <security-basics () securityfocus com>
Sent: Monday, June 28, 2004 8:14 PM
Subject: New Trojan?

PLEASE READ ... I feel violated and need much help, if not for
the PC, for my nerves.

The PC is a WinXP box, fully patched, routinely checked with
Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
use Thunderbird 0.6 and Firefox 0.8. All other family members
run Thunderbird on this box. IE6 has not bee removed but is
fully patched.

Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
is running. (I purposely purchased the licenses at work for
our home users also so that they WOULD stay up to date -- a
practice I learned from Sprint a long, long time ago.)

I use a Netgear FVS318 to interface to my Verizon DSL account.

The events as they happened.

1. My son read his email via the web. It included e-cards.
    He read them. Doesn't remember where they took him, nor
    does he remember if he used IE6 or Firefox.

2. Long screaming session about things TO do and things NOT
    to do while on the internet. 278th time. Disabled his account.

3. Mis-typing a URL will now take me automatically to
    www.netidentity.com with the mistaken URL clearly
    identified inside. Identical results on IE6 and Firefox.
    Java and Javascript are disabled on Firefox. I leave IE6
    alone because I use it when I absolutely must go to some
    bogus activex site, oh, and windowsupdate. But I don't use
    it otherwise. I always use Firefox.

    URLs that caused this include: mapblast, mapquest, abc, def
    ... through xyz.

    Please note: I had typed "mapblast" but had hit Enter rather
    than Ctrl-Enter, by mistake. The URLs entered are literally
    those listed, just the word.

    They are then transformed to http://mapblast/

4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
    updates and the entire system was scanned. Nothing found.

** My immediate thought was that Network Solutions was up to thier
** old tricks with it's Site Finder business. A quick check of
** another PC in the house eliminated that.

5. I checked my syslogs and NULL routed the IP address being used
    to access www.netidentity.com. The same page comes up sans the
    graphics and the flash. The web page is still there though, just
    looking sad. Another check of the syslogs brings up 64.15.175.5
    as generating the pages, an open proxy.

6. Also ran HiJackThis and went through ALL of the items on it.
    Nada. Couldn't find the IP addresses or domain names in the
    registry. I also ran them in reverse notation. Nada.

7. Checked my network settings to make certain that some new DNS
    server wasn't stuck in. Nope, still set to use the Netgear box.
    Put 4 different DNS servers in -- still get that stupid site.

8. That was all at lunchtime. Haven't had a chance to run netstat
    or Ethereal to gain any additional clues.

ZOIKS!!!

The PC is off. But NOT knowing what is going on is driving

me insane.


So while I <ahem> work this afternoon, I thought I would see if any
of this sounds, smells or <insert fav sense here) like anything that
anyone has seen before!

Jeff

--------------------------------------------------------------
------------
-

Ethical Hacking at the InfoSec Institute. Mention this ad

and get $545 off

any course! All of our class sizes are guaranteed to be 10

students or
less

to facilitate one-on-one interaction with one of our expert

instructors.

Attend a course taught by an expert instructor with years

of in-the-field

pen testing experience in our state of the art hacking lab.

Master the
skills

of an Ethical Hacker to better assess the security of your

organization.

Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

RE: New Trojan? Nick Duda (Jun 30)
- <Possible follow-ups>
- Re: New Trojan? nee cee (Jun 30)
- Re: New Trojan? Michael Painter (Jul 01)
- RE: New Trojan? Beesley, Aubrey (Capita Symonds) (Jul 01)
- Re: New Trojan? vrsnet (Jul 01)
  - RE: New Trojan? David Gillett (Jul 01)
  - Use logs from nmap efrén serrano (Jul 05)
    - Re: Use logs from nmap Spurge (Jul 06)
- Re: New Trojan? Zoran Perkov (Jul 01)
- RE: New Trojan? Lauren Ward (Jul 01)
- Re: New Trojan? Michael Painter (Jul 01)
- Re: New Trojan? Greg Bur (Jul 01)
- Re: New Trojan? FLEXITI GmbH (Jul 01)
- re: New Trojan? Jeff (Jul 01)
- RE: New Trojan? Steven Hess (Jul 01)
- RE: New Trojan? Raj (Jul 01)