Re: New Trojan?

[René Nieslony (FLEXITI GmbH) <nieslony () flexiti de>]

Hello Jeff,

1.) Did you update your Spybot before scanning?

2.) Did you check the content your hosts-file?

3.) Did you search your registry for "netidentity"?

4.) If nothing helps, you should try to reinstall IE6 and patch it.


René

----- Original Message ----- 
From: "Jeff" <Jeff@Not_A_Real_Address.com.telenet-ops.be>
To: <security-basics () securityfocus com>
Sent: Monday, June 28, 2004 8:14 PM
Subject: New Trojan?


> PLEASE READ ... I feel violated and need much help, if not for the PC,

> for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with Spybot 
> 1.3 and AdAware 6. I run SpywareBlaster as well. I also use 
> Thunderbird 0.6 and Firefox 0.8. All other family members run 
> Thunderbird on this box. IE6 has not bee removed but is fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is 
> running. (I purposely purchased the licenses at work for our home 
> users also so that they WOULD stay up to date -- a practice I learned 
> from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
>     He read them. Doesn't remember where they took him, nor
>     does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
>     to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
>     www.netidentity.com with the mistaken URL clearly
>     identified inside. Identical results on IE6 and Firefox.
>     Java and Javascript are disabled on Firefox. I leave IE6
>     alone because I use it when I absolutely must go to some
>     bogus activex site, oh, and windowsupdate. But I don't use
>     it otherwise. I always use Firefox.
>
>     URLs that caused this include: mapblast, mapquest, abc, def
>     ... through xyz.
>
>     Please note: I had typed "mapblast" but had hit Enter rather
>     than Ctrl-Enter, by mistake. The URLs entered are literally
>     those listed, just the word.
>
>     They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
>     updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
>     to access www.netidentity.com. The same page comes up sans the
>     graphics and the flash. The web page is still there though, just
>     looking sad. Another check of the syslogs brings up 64.15.175.5
>     as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
>     Nada. Couldn't find the IP addresses or domain names in the
>     registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
>     server wasn't stuck in. Nope, still set to use the Netgear box.
>     Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
>     or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any of

> this sounds, smells or <insert fav sense here) like anything that 
> anyone has seen before!
>
> Jeff
>
>
>
> ----------------------------------------------------------------------
> ----
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545

> off any course! All of our class sizes are guaranteed to be 10 
> students or
less
> to facilitate one-on-one interaction with one of our expert 
> instructors. Attend a course taught by an expert instructor with years

> of in-the-field pen testing experience in our state of the art hacking

> lab. Master the
skills
> of an Ethical Hacker to better assess the security of your 
> organization. Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------
> ----
--
>


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


__________ NOD32 1.799 (20040701) Information __________

Diese E-Mail wurde vom NOD32 Antivirus System geprüft
http://www.nod32.com



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------