-
April 14th, 2004, 08:43 PM
#11
Wish I had more time to play with this, but ran an 'od -c' on the binary (was hoping to catch a look at what data was being passed to the particular calls, like gethostbyname, etc...
Might look around in there and see if you can kind a packed address that it is trying to connect to...
0167100 W S A F D I s S e t \0 \0 5 \0 a c
0167120 c e p t \0 \0 \0 \0 6 \0 b i n d \0 \0
0167140 7 \0 c l o s e s o c k e t \0 \0 \0
0167160 8 \0 c o n n e c t \0 \0 \0 ; \0 g e
0167200 t h o s t b y n a m e \0 E \0 h t
0167220 o n l \0 F \0 h t o n s \0 G \0 i n
0167240 e t _ a d d r \0 J \0 i o c t l s
0167260 o c k e t \0 \0 \0 K \0 l i s t e n
0167300 \0 \0 \0 \0 O \0 r e c v \0 \0 T \0 s e
0167320 l e c t \0 \0 \0 \0 U \0 s e n d \0 \0
0167340 Z \0 s o c k e t \0 \0 \0 \0 j \0 C o
Anyone brave enough to try pulling this up in a debugger? I'd be real curious to know what
was at those memory blocks...I get the feeling it may be some kind of a trojan, or even a worm ... dunno, like I said, wish I had more time to play with it
EDIT: Since I don't really have time to mess with it, I submitted to securityresponse@symantec. I will post any feedback I get from them.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
April 14th, 2004, 09:49 PM
#12
Hey all - this 100% sounds like the newer version of the CWS trojan. Try to kill it by running CWShredder in safe mode. The file name is random I believe and will mutate if overly harassed. Here's what the experts are recomending:
1) Boot into safe mode
2) Run HijackThis but don't check anything to be fixed yet
3) Run CWShredder (make sure you have the newest version!!)
4) In HijackThis select the offending file and "fix" it.
Your problem should have cleared up by then. Good luck!
-
April 14th, 2004, 10:09 PM
#13
Otherwise Disturb,
Boot into safe mode and go into the "immunise" bit of SpyBot S&D............check the boxes to protect your hompage and IE settings.
It just might work?
Cheers
-
April 14th, 2004, 10:38 PM
#14
next CWShredder.. it errored half way through and closed out..
we tried CWShredder after renaming the file.. and no detection..
here is a copy of his HJT log BEFORE we moved and renamed the file:
Logfile of HijackThis v1.97.7
Scan saved at 8:06:58 PM, on 14/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ScannerU\AM32.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Downloads\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kingsofchaos.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.kingsofchaos.com/"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...034.0635532407
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
NOTE: Changed the UserNAme to XX-RENAMED-XX:
It seems that Flashget has the Istbar parasites, not sure about the Av he is using as well..
HE Claims that it is a week since any new software has been installled.. If that log was mine there would be a few removals, I never liked Incredimail after Yaha walked straight past AVG and NAV (5 machines), and yet machines I tested that were using OL or OLEXP the email scann stopped the bug..
HAve also submitted the file to Symantec..
It seemed just renaming the file in safemode was enough to stop activity..
And please PLEASE If you decide to play with these files,:
DONT do it on a production Machine (ie one that it will take dayes to recover and or you don't want to lose valuable data)
DO so on a TEst machine that is not connected to a Network.
And if something goes wrong.. you are prepared for the worst
NExt time I do this sort of a post I will remember to post the above warning..
Work is calling..
Cheers guys.. and thanks to those who have had a look
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 14th, 2004, 10:46 PM
#15
well, I did run it through what I had for scanners and nothing comes up.. I tried w32dasm, and when I try and open it.. w32dasm shuts down but it very well could be related to the problems I have with this box..
meeeeeee, you've seen evidence (or posts somewhere) with CWS's install/run files being random ? hmmmm.. well, it does look like it should be submitted to a number of places.
I think I may take a fresh hard drive, install an os.. put registryprot on it and then try running the file to see what entries it tries to throw in the registry.. maybe let it infect a bit as well.
as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.
193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws
edit : we posted at around the same time..
kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?
-
April 14th, 2004, 10:53 PM
#16
Undies:
NExt time I do this sort of a post I will remember to post the above warning..
I'm going to make a "Catch comment" here......
Bollocks, (that's my own unique interpretation.... ), let them learn!!!! You don't go up and slap a Lion in the face simply because "it's just a big pussy cat" do you? If they are here to learn security then they will learn more from the mistakes they make than they will listening to old farts reminiscing about how (l)user A screwed up their system by some little piece of stupidity. Pain, (in the format c: category), taught me a lot of what I know..... There's a lot of good advice here about how to "play" with "funny stuff'..... they should probably read more before they start messing with stuff the clearly don't understand.....
Thats my story.... and I'm sticking to it.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
April 14th, 2004, 10:58 PM
#17
sounds like a worm to me. that string set reveals a few things:
send - possibly to send itself
socket - to open a Windows socket
CoCreateInstance - create another instance of itself
GetSystemDirectoryA - why would it want system directory and temp directory? infection?
GetTempPathA
OpenMutexA - creates a mutex everytime it runs, like MSBlaster, so as not to waste time reinfecting a mchine. if it has the mutex, move on.
Sleep - wait to check if theres an available internet connection
wsock32.dll - needed for internet connection
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
All of the registry keys are to assist in starting the prog upon system boot.
It looks like a typical worm, but with a couple of treats for your pleasure. I believe there may be a trojan attached, and malicious intent for your data. Submit it to Symantec, and someone should open this in a debugger, I have a test box to mess with tonight, so I can dig around a bit. It doesn't have internet, so it shouldn't be too bad.
Geek isn't just a four-letter word; it's a six-figure income.
-
April 14th, 2004, 10:59 PM
#18
(to tiger and others about the warning)
yeah.. but he DID warn everyone in his first post.. that was enough in my book..
-
April 14th, 2004, 11:25 PM
#19
Senior Member
[i] as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.
193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws
kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?
[/B]
I dont know what i was thinking opening that
now im realy going to sound stupid :how do i do this
-
April 14th, 2004, 11:40 PM
#20
Disturb: This is the basis of your problem.... You ran something with no monitor on it that was probably going to do "bad" things and now you don't know what to do.....
At this point you need to use regedit to search for every individual string sumdum put up there and if they come up examine the entry and chose to delete it or not....
Your problem... sorry... silly move in the first place.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|