re: New Trojan?

[Jeff <Jeff@Not_A_Real_Address.com>]

Please understand that I posted to NTBugTraq as well as to
ComputerCops website. You all are the first group of folks to
respond. Here are some of the additional activities that I've
completed.

> Spent hours on this, going nowhere quickly.
Still in the same spot ... minus some hair.

> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
Updated to 6/30/2004 r16 and re-scanned. Nada.

This was sent to NTBugTraq ... more at the bottom.

**********************************************************************
8. Using Spybot 1.3, I reviewed the browser search pages. Each of them 
are what I would consider standard pages. In fact, all of them are 
identical to the ones that I have at work, sans the compaq pages. I 
built my PC at home - work is a compaq (HP) box.

9. Ran latest CWS_Shredder. Nothing found.

10. Their exploit works while in "Safe mode w/Networking". Makes me 
believe that it is not a DLL or EXE related. Is that true?

11. Noticed that it leaves a cookie behind. Javascript is required to be 
enabled. The cookie includes the bad URL (http://mapblast/) and has "he" 
<tab> "llo" at the end. I found lots of little pop under scripts on the 
internet that are using a similar technique. None of them talk about 
using the exploit in this manner.

12. When run using IE6, another IE window is displayed on the Taskbar, 
but it will not maximize. What little bit I can read of the button 
displays fastclick. This appears to fall in line with the javascript 
code that I saw in item 11.

******
UPDATE: A quick review of the javascript from the site explains #11
******  and #12. It is the same script that I've seen everywhere.

I ran sysinternals filemon to look for something common between the 
browsers, but I was overwhelmed by the flood of information. Wonderful 
tool, but kind of like reading firewall logs, great if you're looking 
for something specific. I need a summary to display something out of the 
ordinary. And I'm not even certain what "out of the ordinary" is.

I have NULL routed the netidentity.com domains and set up a static route
for 64.15.175.5 to a non-existant IP address for the time being.

I don't know if this is just simple adware, site tracking, a keylogger 
or worse. So I am treating it as if it was worse.

In the meantime, the PC is STILL off.

And I am bumming, and quickly falling behind in work I need to do at 
night. Any suggestions as to where to look next. Would also appreciate 
any constructive comments on my troubleshooting techniques.

**********************************************************************
Just to update some of the MUCH APPRECIATED responses.
                           ================

To Kit, Rivera, Brian   RE:CWS_Shredder -- See #9 above.

To Brian, Brad and Kenton   RE: HOSTS file -- I have a small HOST file
that I normally keep set at READ ONLY. Plus, I uses Spybots additions
to that file. I had spybot remove all of it's additions, and I reviewed 
what was left. They were only the items for what is in my house.

I added netidentity.com and www.netidentity.com to this file to point to 
127.0.0.1. The end result was that the exploit only pulls the basic file 
from 64.15.175.5, but leaves the graphics that were at 216.10.106.149 
(www.netidentity.com) out. The IP addresses are BOTH owned by the same 
company.

To Chris RE: tinyurl.com/2y76v -- Haven't checked the LMHOSTS file! :O 
BALLZ! Will do at lunchtime and let everyone know. Sure smells like the
exact same problem. This would explain why the exploit worked when the 
system was running in safe mode w/networking too. <sigh - hope> Not 
certain how I forgot that one! I have to check on whether I even have 
the USE LMHOSTS file enabled. There is no good reason to use it at all 
in my home environment.

To Okiwaso  -- Lot's of good ideas and thank you for the time you spent 
on the message. Have fully checked all the registry entries that you 
mentioned and also haven't found any unusual processes running. I also 
checked all of the ZONES for sites added, but will follow your advice 
regarding some of the security settings.

The main purpose for IE6 is ONLY to have the convienence of 
windowsupdate. I use HFNetChkPro here at work, so I really ought to get 
off my lazy butt and just burn a CD with the appropriate patches when 
required and THEN bring them home. IE6 is just too spooky.

Thanks to everyone for the help. I'll keep you updated.



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------