Security Basics mailing list archives

RE: New Trojan?

From: Raj <aquarajb () yahoo com>
Date: Thu, 1 Jul 2004 04:21:21 -0700 (PDT)

Hi jeff

Well few weeks back i was infected too, whenever i
mistype the url IE led me to Incredfind.net, i tried
all sort of things but the tools never helped me out,
so i found a few suspicious files by manaul search in
my temp folder, while examining the files i found that
it had installed a exe file in the system folder, and
it has maded changes in the windows registry like
"Blog.Incrid*.*" so manually i deleted the entires
made by it in the registry and atlast my computer is 
disinfected from that Blog

so now you manually disinfect your machine 

bye

Raj

-----Original Message-----
From: Jeff [mailto:Jeff@Not_A_Real_Address.com] 
Sent: Monday, June 28, 2004 1:15 PM
To: security-basics () securityfocus com
Subject: New Trojan?

PLEASE READ ... I feel violated and need much

help, if not for

the PC, for my nerves.

The PC is a WinXP box, fully patched, routinely

checked with

Spybot 1.3 and AdAware 6. I run SpywareBlaster as

well. I also

use Thunderbird 0.6 and Firefox 0.8. All other

family members

run Thunderbird on this box. IE6 has not bee

removed but is

fully patched.

Norton Antivirus Corporate Edition 9.0, AV file

6/25/2004 r19

is running. (I purposely purchased the licenses at

work for

our home users also so that they WOULD stay up to

date -- a

practice I learned from Sprint a long, long time

ago.)


I use a Netgear FVS318 to interface to my Verizon

DSL account.


The events as they happened.

1. My son read his email via the web. It included

e-cards.

    He read them. Doesn't remember where they took

him, nor

    does he remember if he used IE6 or Firefox.

2. Long screaming session about things TO do and

things NOT

    to do while on the internet. 278th time.

Disabled his account.


3. Mis-typing a URL will now take me automatically

to

    www.netidentity.com with the mistaken URL

clearly

    identified inside. Identical results on IE6

and Firefox.

    Java and Javascript are disabled on Firefox. I

leave IE6

    alone because I use it when I absolutely must

go to some

    bogus activex site, oh, and windowsupdate. But

I don't use

    it otherwise. I always use Firefox.

    URLs that caused this include: mapblast,

mapquest, abc, def

    ... through xyz.

    Please note: I had typed "mapblast" but had

hit Enter rather

    than Ctrl-Enter, by mistake. The URLs entered

are literally

    those listed, just the word.

    They are then transformed to http://mapblast/

4. SAV CE, Spybot, AdAware, SypwareBlaster were

all checked for

    updates and the entire system was scanned.

Nothing found.


** My immediate thought was that Network Solutions

was up to thier

** old tricks with it's Site Finder business. A

quick check of

** another PC in the house eliminated that.

5. I checked my syslogs and NULL routed the IP

address being used

    to access www.netidentity.com. The same page

comes up sans the

    graphics and the flash. The web page is still

there though, just

    looking sad. Another check of the syslogs

brings up 64.15.175.5

    as generating the pages, an open proxy.

6. Also ran HiJackThis and went through ALL of the

items on it.

    Nada. Couldn't find the IP addresses or domain

names in the

    registry. I also ran them in reverse notation.

Nada.


7. Checked my network settings to make certain

that some new DNS

    server wasn't stuck in. Nope, still set to use

the Netgear box.

    Put 4 different DNS servers in -- still get

that stupid site.


8. That was all at lunchtime. Haven't had a chance

to run netstat

    or Ethereal to gain any additional clues.

ZOIKS!!!

The PC is off. But NOT knowing what is going on is

driving me insane.


So while I <ahem> work this afternoon, I thought I

would see if any

of this sounds, smells or <insert fav sense here)

like anything that

anyone has seen before!

Jeff

---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention

this ad and get $545 off

any course! All of our class sizes are guaranteed

to be 10 students or less

to facilitate one-on-one interaction with one of

our expert instructors.

Attend a course taught by an expert instructor

with years of in-the-field

pen testing experience in our state of the art

hacking lab. Master the

skills 
of an Ethical Hacker to better assess the security

of your organization.

Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention

this ad and get $545 off

any course! All of our class sizes are guaranteed

to be 10 students or less

to facilitate one-on-one interaction with one of

our expert instructors.

Attend a course taught by an expert instructor

with years of in-the-field

pen testing experience in our state of the art

hacking lab. Master the skills

of an Ethical Hacker to better assess the security

of your organization.

Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention
this ad and get $545 off 
any course! All of our class sizes are guaranteed to
be 10 students or less 
to facilitate one-on-one interaction with one of our
expert instructors. 
Attend a course taught by an expert instructor with
years of in-the-field 
pen testing experience in our state of the art
hacking lab. Master the skills 
of an Ethical Hacker to better assess the security
of your organization. 
Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

=== message truncated ===



                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

RE: New Trojan?, (continued)
- - RE: New Trojan? David Gillett (Jul 01)
  - Use logs from nmap efrén serrano (Jul 05)
    - Re: Use logs from nmap Spurge (Jul 06)
- Re: New Trojan? Zoran Perkov (Jul 01)
- RE: New Trojan? Lauren Ward (Jul 01)
- Re: New Trojan? Michael Painter (Jul 01)
- Re: New Trojan? Greg Bur (Jul 01)
- Re: New Trojan? FLEXITI GmbH (Jul 01)
- re: New Trojan? Jeff (Jul 01)
- RE: New Trojan? Steven Hess (Jul 01)
- RE: New Trojan? Raj (Jul 01)