** Ok What could this Be? **

[nebulus200]

Wish I had more time to play with this, but ran an 'od -c' on the binary (was hoping to catch a look at what data was being passed to the particular calls, like gethostbyname, etc...

Might look around in there and see if you can kind a packed address that it is trying to connect to...

0167100 W S A F D I s S e t \0 \0 5 \0 a c
0167120 c e p t \0 \0 \0 \0 6 \0 b i n d \0 \0
0167140 7 \0 c l o s e s o c k e t \0 \0 \0
0167160 8 \0 c o n n e c t \0 \0 \0 ; \0 g e
0167200 t h o s t b y n a m e \0 E \0 h t
0167220 o n l \0 F \0 h t o n s \0 G \0 i n
0167240 e t _ a d d r \0 J \0 i o c t l s
0167260 o c k e t \0 \0 \0 K \0 l i s t e n
0167300 \0 \0 \0 \0 O \0 r e c v \0 \0 T \0 s e
0167320 l e c t \0 \0 \0 \0 U \0 s e n d \0 \0
0167340 Z \0 s o c k e t \0 \0 \0 \0 j \0 C o

Anyone brave enough to try pulling this up in a debugger? I'd be real curious to know what
was at those memory blocks...I get the feeling it may be some kind of a trojan, or even a worm ... dunno, like I said, wish I had more time to play with it

EDIT: Since I don't really have time to mess with it, I submitted to securityresponse@symantec. I will post any feedback I get from them.

/nebulus

[meeeeeee]

Hey all - this 100% sounds like the newer version of the CWS trojan. Try to kill it by running CWShredder in safe mode. The file name is random I believe and will mutate if overly harassed. Here's what the experts are recomending:

1) Boot into safe mode
2) Run HijackThis but don't check anything to be fixed yet
3) Run CWShredder (make sure you have the newest version!!)
4) In HijackThis select the offending file and "fix" it.


Your problem should have cleared up by then. Good luck!

[nihil]

Otherwise Disturb,

Boot into safe mode and go into the "immunise" bit of SpyBot S&D............check the boxes to protect your hompage and IE settings.

It just might work?

Cheers

[Und3ertak3r]

next CWShredder.. it errored half way through and closed out..

we tried CWShredder after renaming the file.. and no detection..

here is a copy of his HJT log BEFORE we moved and renamed the file:

Logfile of HijackThis v1.97.7
Scan saved at 8:06:58 PM, on 14/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ScannerU\AM32.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Downloads\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kingsofchaos.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.kingsofchaos.com/"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...034.0635532407
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab

NOTE: Changed the UserNAme to XX-RENAMED-XX:

It seems that Flashget has the Istbar parasites, not sure about the Av he is using as well..

HE Claims that it is a week since any new software has been installled.. If that log was mine there would be a few removals, I never liked Incredimail after Yaha walked straight past AVG and NAV (5 machines), and yet machines I tested that were using OL or OLEXP the email scann stopped the bug..

HAve also submitted the file to Symantec..

It seemed just renaming the file in safemode was enough to stop activity..

And please PLEASE If you decide to play with these files,:
DONT do it on a production Machine (ie one that it will take dayes to recover and or you don't want to lose valuable data)
DO so on a TEst machine that is not connected to a Network.
And if something goes wrong.. you are prepared for the worst

NExt time I do this sort of a post I will remember to post the above warning..

Work is calling..

Cheers guys.. and thanks to those who have had a look

[sumdumguy]

well, I did run it through what I had for scanners and nothing comes up.. I tried w32dasm, and when I try and open it.. w32dasm shuts down but it very well could be related to the problems I have with this box..

meeeeeee, you've seen evidence (or posts somewhere) with CWS's install/run files being random ? hmmmm.. well, it does look like it should be submitted to a number of places.
I think I may take a fresh hard drive, install an os.. put registryprot on it and then try running the file to see what entries it tries to throw in the registry.. maybe let it infect a bit as well.

as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.

193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws


edit : we posted at around the same time..

kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?

[Tiger Shark]

Undies:

NExt time I do this sort of a post I will remember to post the above warning..

I'm going to make a "Catch comment" here......

Bollocks, (that's my own unique interpretation.... ), let them learn!!!! You don't go up and slap a Lion in the face simply because "it's just a big pussy cat" do you? If they are here to learn security then they will learn more from the mistakes they make than they will listening to old farts reminiscing about how (l)user A screwed up their system by some little piece of stupidity. Pain, (in the format c: category), taught me a lot of what I know..... There's a lot of good advice here about how to "play" with "funny stuff'..... they should probably read more before they start messing with stuff the clearly don't understand.....

Thats my story.... and I'm sticking to it.....

[AxessTerminated]

sounds like a worm to me. that string set reveals a few things:
send - possibly to send itself
socket - to open a Windows socket
CoCreateInstance - create another instance of itself
GetSystemDirectoryA - why would it want system directory and temp directory? infection?
GetTempPathA
OpenMutexA - creates a mutex everytime it runs, like MSBlaster, so as not to waste time reinfecting a mchine. if it has the mutex, move on.
Sleep - wait to check if theres an available internet connection
wsock32.dll - needed for internet connection
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
All of the registry keys are to assist in starting the prog upon system boot.
It looks like a typical worm, but with a couple of treats for your pleasure. I believe there may be a trojan attached, and malicious intent for your data. Submit it to Symantec, and someone should open this in a debugger, I have a test box to mess with tonight, so I can dig around a bit. It doesn't have internet, so it shouldn't be too bad.

[sumdumguy]

(to tiger and others about the warning)

yeah.. but he DID warn everyone in his first post.. that was enough in my book..

[disturb]

[i] as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.

193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws




kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?
[/B]

I dont know what i was thinking opening that

now im realy going to sound stupid :how do i do this

[Tiger Shark]

Disturb: This is the basis of your problem.... You ran something with no monitor on it that was probably going to do "bad" things and now you don't know what to do.....

At this point you need to use regedit to search for every individual string sumdum put up there and if they come up examine the entry and chose to delete it or not....

Your problem... sorry... silly move in the first place.....