| View previous topic :: View next topic |
| Author |
Message |
mrrockford
News Admin
AVPE Host
Joined: Apr 24, 2004
Posts: 3012
|
 Posted: Sun Jan 13, 2008 8:24 am Post subject: Please check these URLs for ..........whatever |
|
|
xxx.removal-tool.com
xxx.removal-tool.com/malwarecrush/
xxx.fix-computer-problem.com
x=w as you know
ZA was trying to block but was having problems until I stepped in.
Thanks
|
|
| Back to top |
|
 |
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Sun Jan 13, 2008 5:51 pm Post subject: |
|
|
No malware on those sites.
Just a lousy affiliate trying to get hits and get people to
download the 'removal tool' which happens to be Xoftspy.
The download link goes through clickbank.
So basically spam or junk.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5878
|
| Posted: Sun Jan 13, 2008 7:19 pm Post subject: |
|
|
| Code: | | www.removal-tool.som |
Has an iframe on it at the very bottom of the HTML code
| Code: | | http://www.52gxy.cn/gua3.html |
which tries various exploits such as JS/Exploit-BO.gen (McAfee) and Exploit-MS06-014 (McAfee)
I'll download all the exploits and put them on the malware listserv.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5878
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Sun Jan 13, 2008 7:36 pm Post subject: |
|
|
Thanks tetak, I missed that.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5878
|
| Posted: Sun Jan 13, 2008 7:37 pm Post subject: |
|
|
| Code: | | http://www.52gxy.cn/gua3.html |
Contains 2 iframes
| Code: |
http://js.k0102.com/a11.htm
http://count38.51yes.com/click.aspx?id=386950387&logo=1
|
| Code: | | http://js.k0102.com/a11.htm |
Tries to load 8 exploits.
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Sun Jan 13, 2008 7:50 pm Post subject: |
|
|
I scanned the payload.
Want me to listserv it?
Edit: listserved.
| Code: |
File data.exe received on 01.13.2008 20:44:25 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.12.10 2008.01.11 -
AntiVir 7.6.0.46 2008.01.11 HEUR/Malware
Authentium 4.93.8 2008.01.13 -
Avast 4.7.1098.0 2008.01.12 -
AVG 7.5.0.516 2008.01.13 Generic9.APLR
BitDefender 7.2 2008.01.13 -
CAT-QuickHeal 9.00 2008.01.12 -
ClamAV 0.91.2 2008.01.13 -
DrWeb 4.44.0.09170 2008.01.13 Trojan.Rox
eSafe 7.0.15.0 2008.01.13 suspicious Trojan/Worm
eTrust-Vet 31.3.5451 2008.01.11 -
Ewido 4.0 2008.01.13 -
FileAdvisor 1 2008.01.13 -
Fortinet 3.14.0.0 2008.01.13 -
F-Prot 4.4.2.54 2008.01.13 W32/BadBHO.A.gen!Eldorado
F-Secure 6.70.13030.0 2008.01.13 -
Ikarus T3.1.1.20 2008.01.13 -
Kaspersky 7.0.0.125 2008.01.13 -
McAfee 5205 2008.01.11 -
Microsoft 1.3109 2008.01.13 Virus:Win32/Xorer.A
NOD32v2 2788 2008.01.13 a variant of Win32/Xorer
Norman 5.80.02 2008.01.11 -
Panda 9.0.0.4 2008.01.13 Suspicious file
Prevx1 V2 2008.01.13 -
Rising 20.26.62.00 2008.01.13 -
Sophos 4.24.0 2008.01.13 Mal/Packer
Sunbelt 2.2.907.0 2008.01.12 -
Symantec 10 2008.01.13 -
TheHacker 6.2.9.186 2008.01.11 -
VBA32 3.12.2.5 2008.01.13 -
VirusBuster 4.3.26:9 2008.01.13 Packed/FSG
Webwasher-Gateway 6.6.2 2008.01.13 Heuristic.Malware
Additional information
File size: 94208 bytes
MD5: 19e6f947ec5aa3dbbe9829d76a7f6284
SHA1: bfb3fedf6fa810eb842af5683a381c469ed0227d
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX |
[/b]
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
mrrockford
News Admin
AVPE Host
Joined: Apr 24, 2004
Posts: 3012
|
| Posted: Sun Jan 13, 2008 11:53 pm Post subject: |
|
|
Tell what these can do I may have something on this machine now
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Mon Jan 14, 2008 12:37 am Post subject: |
|
|
It may have worm capability (spread via network).
It does have rootkit capability, hides itself and interferes with
some security tools.
Hijackthis will show "dnsq.dll" in your Appinit_dlls
Also copies itself as lsass.exe and runs from the windows\system32\com directory. (hidden)
If you do have it you will need to ask the Hijackthis experts or reload the pc.
Let me know if you have any other questions.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
mrrockford
News Admin
AVPE Host
Joined: Apr 24, 2004
Posts: 3012
|
| Posted: Mon Jan 14, 2008 2:49 am Post subject: |
|
|
| Quote: | | It does have rootkit capability, hides itself and interferes with some security tools. |
That may have been why I had to step in and help ZA!
Ok here we go!
|
|
| Back to top |
|
|
Cretem0nster
MIRT Hunter
Joined: Jul 02, 2005
Posts: 121
Location: USA
|
| Posted: Tue Jan 15, 2008 9:30 am Post subject: |
|
|
Ewwww,thats pretty nasty,no safe boot left after it runs.
Autorun worms are a real pita!
|
|
| Back to top |
|
|
Cretem0nster
MIRT Hunter
Joined: Jul 02, 2005
Posts: 121
Location: USA
|
| Posted: Tue Jan 15, 2008 10:15 am Post subject: |
|
|
Included.install log+autoruns log+gmer log.
startup.exe is the file dumped into allusers startup folder so the infection routine runs early in each startup.
Makes hidden file view,near impossible while mal processes are running.
Attached archive is not pw protected.
Antivir free
[0] Archive type: ZIP
--> mal115/000.cfg0
[DETECTION] Is the Trojan horse TR/Xorer.E.2
--> mal115/037589.log
[DETECTION] Is the Trojan horse TR/Xorer.E.2
--> mal115/Antitool.exe
[DETECTION] Is the Trojan horse TR/PSW.OnlineGames.Mix.2
--> mal115/AUTORUN.inf
[DETECTION] Is the Trojan horse TR/Harnig.WA
--> mal115/dnsq.dll
[DETECTION] Contains suspicious code HEUR/Malware
--> mal115/lsass.exe
[DETECTION] Is the Trojan horse TR/Xorer.E.2
--> mal115/netcfg.000
[DETECTION] Is the Trojan horse TR/Xorer.G
--> mal115/netcfg.dll
[DETECTION] Is the Trojan horse TR/Xorer.G
--> mal115/pagefile.pif
[DETECTION] Is the Trojan horse TR/Xorer.E.2
--> mal115/smss.exe
[DETECTION] Is the Trojan horse TR/Xorer.E.2
--> mal115/startup.exe
[DETECTION] Is the Trojan horse TR/Xorer.E.2
[WARNING] The file was ignored!
End of the scan: Tuesday, January 15, 2008 05:08
Used time: 00:09 min
The scan has been done completely.
0 Scanning directories
23 Files were scanned
10 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
13 Files not concerned
1 Archives were scanned
1 Warnings
0 Notes
Kaspersky online
Scanned file: mal115.zip - Infected
mal115.zip/mal115/000.cfg0 - OK
mal115.zip/mal115/000.cfg0 - OK
mal115.zip/mal115/000.cfg0 - OK
mal115.zip/mal115/037589.log - OK
mal115.zip/mal115/037589.log - OK
mal115.zip/mal115/037589.log - OK
mal115.zip/mal115/115 - Changes.txt - OK
mal115.zip/mal115/alg.exe - OK
mal115.zip/mal115/alg.exe - OK
mal115.zip/mal115/Antitool.exe - infected by Trojan-PSW.Win32.OnLineGames.mix
mal115.zip/mal115/AUTORUN.inf - OK
mal115.zip/mal115/AutoRuns.txt - OK
mal115.zip/mal115/comadmon.dll - OK
mal115.zip/mal115/comempty.dat - OK
mal115.zip/mal115/comexp.msc - OK
mal115.zip/mal115/comrepl.exe - OK
mal115.zip/mal115/comrereg.exe - OK
mal115.zip/mal115/dnsq.dll - OK
mal115.zip/mal115/dnsq.dll - OK
mal115.zip/mal115/dnsq.dll - OK
mal115.zip/mal115/gmer.txt - OK
mal115.zip/mal115/lsass.exe - OK
mal115.zip/mal115/lsass.exe - OK
mal115.zip/mal115/lsass.exe - OK
mal115.zip/mal115/mtsadmin.tsb - OK
mal115.zip/mal115/netcfg.000 - infected by Virus.Win32.Xorer.dd
mal115.zip/mal115/netcfg.dll - infected by Virus.Win32.Xorer.dd
mal115.zip/mal115/npf.sys - OK
mal115.zip/mal115/pagefile.pif - OK
mal115.zip/mal115/pagefile.pif - OK
mal115.zip/mal115/pagefile.pif - OK
mal115.zip/mal115/smss.exe - infected by Virus.Win32.Xorer.dq
mal115.zip/mal115/startup.exe - OK
mal115.zip/mal115/startup.exe - OK
mal115.zip/mal115/startup.exe - OK
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Tue Jan 15, 2008 6:04 pm Post subject: |
|
|
How were you able to capture all the files it created?
I had alot of trouble on my virtual machine because of the rootkit and files hiding. But I didn't spend alot of time on it.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
Cretem0nster
MIRT Hunter
Joined: Jul 02, 2005
Posts: 121
Location: USA
|
| Posted: Wed Jan 16, 2008 3:43 am Post subject: |
|
|
Used the copy feature in latest GMER release. 
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5878
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
