Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spyware? Worm? Trojan? "face license free bait"

From: Jason Thibeault <jthibeault () gmail com>
Date: Wed, 29 Sep 2004 21:42:51 -0400
This would be the newest version of LOP, a nice piece of spyware that
present Spybot S&D signature files don't recognize.  You probably got
it (like a few others at my workplace) by installing Messenger Plus! 3
and agreeing to the EULA that it presents.  Here's a hint -- that EULA
isn't for Messenger Plus!, but rather for C2Media's "sponsor program".
As soon as I'm done the draft for a quick dissection I just completed
earlier this afternoon, I'll post it in reply to this thread.


On Wed, 29 Sep 2004 10:39:31 -0700 (PDT), Harlan Carvey
<keydet89 () yahoo com> wrote:

Wow.  English aside, I have no idea where to
start...there are so many questions that need to be
asked for clarification on this that I don't know
whether to sh*t or go blind!


I found something VERY VERY STRANGE on my computer
last evening...


Yeah, so did I...the user!  ;-)

Okay, here's an excerpt from the email...


While writing this lines I found two another shit
directories :'(

C:\PROGRA~1\Corn Internet Soft

Filename        Size    CRC-32
C5EDFC35        1060    92EE5B2C  [set as system
files]
cemaylou.exe        272966    70370FFB (other name
it has taken :
nxkkxpjy.exe, greyend.exe, metapoll.exe)
HOLE NAME.exe        240663    A2325E7C
logduperoad.exe        9970    25C7A91D
seek barb regs win.exe    47616    D41BE72E (other
name it has taken :
batbodypokeextra.exe)


C:\PROGRA~1\upload admin bind

Filename        Size    CRC-32
DELETE PLAY.exe        15526    95665A33

And I'm unable to delete any of these files !! They
are not displayed in
taskmgr, and :

--
PsKill v1.03 - local and remote process killer
Copyright (C) 2000 Mark Russinovich
http://www.sysinternals.com

Unable to kill process cemaylou.exe:
Process does not exist.
--


Okay, so you found cemaylou.exe in a directory...what
made you think that it was a process?  Just b/c you
can't delete them, what makes you think that they
*would* appear in TaskManager?


I've tried to sniff all these exe names using tools
from SysInternals
but I can't find any of these o_o !!


Are you referring to FileMon and RegMon?  Again...just
b/c you can't delete the files, why do you think they
are running?


What the hell is going on on my computer ?? Is Big
Brother watching me ? =)


Yes, I am.  Feel free to disconnect the power to your
computer, disconnect all other cables, and throw the
system in the trash.  After watching you for a while,
I've had enough fun...that thing you did the other
night was funnier than "America's Funniest Home
Videos" and "COPs" put together.


Thank you very much indeed for your help.. and sorry
for my really bad english.


It isn't your English that's the problem, dude...it's
all the Jolt cola you've been drinking, and that other
thing you did that time in that place...

=====
------------------------------------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
------------------------------------------------------------------------



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: