Vulnerability Development mailing list archives
Re: All Advantage Spyware
From: George Karatsiolis <benettor () IRC GR>
Date: Sat, 16 Sep 2000 15:53:35 +0300
Exploring advert.dll version 2.0 (build 12) (the one on Go!Zilla 3.5) I found that: - advert.dll *DOES NOT* collects current system user name as listed on Software\Microsoft\Windows\CurrentVersion\RegisteredOwner and RegisteredOrganization. - advert.dll *DOES NOT* opens a listen() socket to accept commands from a remote machine. - advert.dll creates a hidden window with "advert.dll hidden window" ClassName: :0040B926 C745E074A44600 mov [ebp-20], 0046A474 :0040B92D 51 push ecx (USER32.RegisterClassA) :0040B92E E8D9B60500 Call 0046700C :0040B933 6A00 push 00000000 :0040B935 8B432E mov eax, dword ptr [ebx+2E] :0040B938 50 push eax :0040B939 6A00 push 00000000 :0040B93B 6A00 push 00000000 :0040B93D 6A10 push 00000010 :0040B93F 6A10 push 00000010 :0040B941 6A00 push 00000000 :0040B943 6A00 push 00000000 :0040B945 6A00 push 00000000 and caption: "[hidden window]": :0040B947 68A6A44600 push 0046A4A6 :0040B94C 688DA44600 push 0046A48D :0040B951 6A00 push 00000000 (USER32.CreateWindowExA) :0040B953 E8A4B40500 Call 00466DFC :0040B958 8BF0 mov esi, eax :0040B95A 89732A mov dword ptr [ebx+2A], esi :0040B95D 53 push ebx - advert.dll calls from "Rasapi32.dll" the following functions: RasEnumConnectionsA RasGetConnectStatusA RasHangUpA RasEnumEntriesA RasDialA RasGetErrorStringA and enums all dialup sessions and collects information such as ISP Name, Dialup Number (incl. area code) and Username (only username without the password). See what MSDN Microsoft says about: * RasEnumConnections: This function lists all active RAS connections. It returns each connections handle and phone book entry name. * RasHangUpA: The RasHangUp function terminates a remote access connection. The connection is specified with a RAS connection handle. RasHangUpA ? ;-) - advert.dll communicates with http://www.adsoftware.com/ - advert.dll collects information for all installed applications from: "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" :0040A944 689DA14600 push 0046A19D :0040A949 6802000080 push 80000002 :0040A94E 8D4DDC lea ecx, dword ptr [ebp-24] :0040A951 51 push ecx :0040A952 E871F3FFFF call 00409CC8 :0040A957 83C40C add esp, 0000000C :0040A95A FF859CFDFFFF inc dword ptr [ebp+FFFFFD9C] :0040A960 66C78590FDFFFF5000 mov word ptr [ebp+FFFFFD90], 0050 :0040A969 66C78590FDFFFF5C00 mov word ptr [ebp+FFFFFD90], 005C - advert.dll beyond other, imports the following DLL and functions: ADVAPI32.dll: ------------- RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegQueryInfoKeyA, RegQueryValueExA, RegSetValueExA KERNEL32.dll: ------------- CloseHandle, CreateDirectoryA, CreateFileA, CreateFileW, CreateMutexA CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW DosDateTimeToFileTime, DuplicateHandle, EnterCriticalSection ExitProcess, ExitThread, FileTimeToDosDateTime FileTimeToLocalFileTime, FindClose, FindFirstFileA, FindNextFileA FindResourceA, FreeEnvironmentStringsA, FreeLibrary FreeResource, GetACP, GetCPInfo, GetCurrentProcess, GetCurrentProcessId GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDriveTypeA GetEnvironmentStrings, GetExitCodeThread, GetFileAttributesA GetFileAttributesW, GetFileSize, GetFileTime, GetFileType GetFullPathNameA, GetLastError, GetLocalTime, GetModuleFileNameA, GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress, GetStartupInfoA, GetStdHandle, GetStringTypeW, GetSystemInfo GetTempFileNameA, GetTempPathAGetTimeZoneInformation, GetVersion GetVersionExA, GetVolumeInformationA, GetWindowsDirectoryA, GlobalAlloc GlobalFree, GlobalLock, GlobalMemoryStatus, GlobalUnlock, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA LoadResource, LocalAlloc, LocalFileTimeToFileTime, LocalFree, LocalHandle LocalLock, LocalReAlloc, LocalUnlock, LockResource, MoveFileExA, MulDiv MultiByteToWideChar, RaiseException, ReadFile, ReleaseMutex ReleaseSemaphore, ResumeThread, RtlUnwind, SetConsoleCtrlHandler SetEndOfFile, SetErrorMode, SetFileAttributesA, SetFilePointer SetFileTime, SetHandleCount, SetThreadPriority, SizeofResource, Sleep SleepEx, SuspendThread, TerminateThread, TlsAlloc, TlsFree, TlsGetValue TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree VirtualQuery, WaitForMultipleObjectsEx, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WinExec, WriteFile, lstrcmpA lstrcmpiA WSOCK32.dll: ------------ WSAAsyncGetHostByName, WSAAsyncSelect, WSACancelAsyncRequest, WSACleanup WSAGetLastError, WSAStartup, closesocket, connect, htonl, htons inet_addr, ioctlsocket, ntohl, ntohs, recv, select, send, shutdown socket - advert.dll exports: __stdcall SocketWndProc(HWND__ *, unsigned int, unsigned int, long) __lockDebuggerData(), __unlockDebuggerData(), _GetStatus _IsConnectOkay, _OnClick, _Paint, _RetryConnect, _SetAdRecordedCallback _SetBandwidthThrottle, _SetCallback, _SetMinimumAdDisplayTime _SetNetworkCallback, _SetNetworkState, _SetProxy, _Shutdown, _StartOffline _Startup, _StopOffline, _UseDefaultAd, __DebuggerHookData, _adler32 _compress, _debugTriggerEvent, _deflate, _deflateCopy, _deflateEnd _deflateInit2_, _deflateInit_, _deflateParams, _deflateReset, _deflateSetDictionary, _inflate, _inflateEnd, _inflateInit2_ _inflateInit_, _inflateReset, _inflateSetDictionary, _inflateSync _zlibVersion, std_GetStatus, std_IsConnectOkay, std_OnClick, std_Paint, std_RetryConnect, std_SetAdRecordedCallback, std_SetBandwidthThrottle std_SetCallback, std_SetMinimumAdDisplayTime, std_SetNetworkCallback std_SetNetworkState, std_SetProxy, std_Shutdown, std_Startup std_UseDefaultAd, std_debugTriggerEvent - advert.dll contains the following resources: 1 Bitmap (company logo) 1 Icon 6 Dialogs (that prompts for user information) 24 RCData, GIF files of 57k Version Information - advert.dll contains the following messages ;-) : * The quick brown fox jumped over the moon. * The eagle has landed on the lazy dog. * The buzzard flies at one. * The truth is out there. Visit http://egnatia.ee.auth.gr/~gkar/wintask and download WinTask 9x/NT. This utility allows you to list and stop any process that runs on your computers. Stop that hidden window and you will not receive and send information. Mail me for suggestions and bugs. If someone has an advert.dll older than version 2.0 (build 12) please contact me asap. More information on advert.dll on a future post. George Karatsiolis gkar () ee auth gr benettor () irc gr
Current thread:
- Re: All Advantage Spyware, (continued)
- Re: All Advantage Spyware Jonathan Rickman (Sep 13)
- Re: All Advantage Spyware Daniel McCranie (Sep 13)
- Re: All Advantage Spyware Vitaly Osipov (Sep 14)
- What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 15)
- Re: What is AIM Adware? (Re: All Advantage Spyware) Juan M. Courcoul (Sep 16)
- Re: What is AIM Adware? (Re: All Advantage Spyware) jlarimer (Sep 16)
- Re: What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 16)
- Re: All Advantage Spyware Warren Young (Sep 16)
- Re: All Advantage Spyware Jonathan Rickman (Sep 13)
- Re: All Advantage Spyware rompa (Sep 14)
- Re: All Advantage Spyware George Karatsiolis (Sep 16)