Security Basics mailing list archives
RE: New Trojan?
From: Raj <aquarajb () yahoo com>
Date: Thu, 1 Jul 2004 04:21:21 -0700 (PDT)
Hi jeff Well few weeks back i was infected too, whenever i mistype the url IE led me to Incredfind.net, i tried all sort of things but the tools never helped me out, so i found a few suspicious files by manaul search in my temp folder, while examining the files i found that it had installed a exe file in the system folder, and it has maded changes in the windows registry like "Blog.Incrid*.*" so manually i deleted the entires made by it in the registry and atlast my computer is disinfected from that Blog so now you manually disinfect your machine bye Raj
-----Original Message----- From: Jeff [mailto:Jeff@Not_A_Real_Address.com] Sent: Monday, June 28, 2004 1:15 PM To: security-basics () securityfocus com Subject: New Trojan? PLEASE READ ... I feel violated and need muchhelp, if not forthe PC, for my nerves. The PC is a WinXP box, fully patched, routinelychecked withSpybot 1.3 and AdAware 6. I run SpywareBlaster aswell. I alsouse Thunderbird 0.6 and Firefox 0.8. All otherfamily membersrun Thunderbird on this box. IE6 has not beeremoved but isfully patched. Norton Antivirus Corporate Edition 9.0, AV file6/25/2004 r19is running. (I purposely purchased the licenses atwork forour home users also so that they WOULD stay up todate -- apractice I learned from Sprint a long, long timeago.)I use a Netgear FVS318 to interface to my VerizonDSL account.The events as they happened. 1. My son read his email via the web. It includede-cards.He read them. Doesn't remember where they tookhim, nordoes he remember if he used IE6 or Firefox. 2. Long screaming session about things TO do andthings NOTto do while on the internet. 278th time.Disabled his account.3. Mis-typing a URL will now take me automaticallytowww.netidentity.com with the mistaken URLclearlyidentified inside. Identical results on IE6and Firefox.Java and Javascript are disabled on Firefox. Ileave IE6alone because I use it when I absolutely mustgo to somebogus activex site, oh, and windowsupdate. ButI don't useit otherwise. I always use Firefox. URLs that caused this include: mapblast,mapquest, abc, def... through xyz. Please note: I had typed "mapblast" but hadhit Enter ratherthan Ctrl-Enter, by mistake. The URLs enteredare literallythose listed, just the word. They are then transformed to http://mapblast/ 4. SAV CE, Spybot, AdAware, SypwareBlaster wereall checked forupdates and the entire system was scanned.Nothing found.** My immediate thought was that Network Solutionswas up to thier** old tricks with it's Site Finder business. Aquick check of** another PC in the house eliminated that. 5. I checked my syslogs and NULL routed the IPaddress being usedto access www.netidentity.com. The same pagecomes up sans thegraphics and the flash. The web page is stillthere though, justlooking sad. Another check of the syslogsbrings up 64.15.175.5as generating the pages, an open proxy. 6. Also ran HiJackThis and went through ALL of theitems on it.Nada. Couldn't find the IP addresses or domainnames in theregistry. I also ran them in reverse notation.Nada.7. Checked my network settings to make certainthat some new DNSserver wasn't stuck in. Nope, still set to usethe Netgear box.Put 4 different DNS servers in -- still getthat stupid site.8. That was all at lunchtime. Haven't had a chanceto run netstator Ethereal to gain any additional clues. ZOIKS!!! The PC is off. But NOT knowing what is going on isdriving me insane.So while I <ahem> work this afternoon, I thought Iwould see if anyof this sounds, smells or <insert fav sense here)like anything thatanyone has seen before! Jeff
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mentionthis ad and get $545 offany course! All of our class sizes are guaranteedto be 10 students or lessto facilitate one-on-one interaction with one ofour expert instructors.Attend a course taught by an expert instructorwith years of in-the-fieldpen testing experience in our state of the arthacking lab. Master theskills of an Ethical Hacker to better assess the securityof your organization.Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mentionthis ad and get $545 offany course! All of our class sizes are guaranteedto be 10 students or lessto facilitate one-on-one interaction with one ofour expert instructors.Attend a course taught by an expert instructorwith years of in-the-fieldpen testing experience in our state of the arthacking lab. Master the skillsof an Ethical Hacker to better assess the securityof your organization.Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
=== message truncated === __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: New Trojan?, (continued)
- RE: New Trojan? David Gillett (Jul 01)
- Use logs from nmap efrén serrano (Jul 05)
- Re: Use logs from nmap Spurge (Jul 06)
- Re: New Trojan? Zoran Perkov (Jul 01)
- RE: New Trojan? Lauren Ward (Jul 01)
- Re: New Trojan? Michael Painter (Jul 01)
- Re: New Trojan? Greg Bur (Jul 01)
- Re: New Trojan? FLEXITI GmbH (Jul 01)
- re: New Trojan? Jeff (Jul 01)
- RE: New Trojan? Steven Hess (Jul 01)
- RE: New Trojan? Raj (Jul 01)