** Ok What could this Be? ** - Page 2
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 40

Thread: ** Ok What could this Be? **

  1. #11
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Wish I had more time to play with this, but ran an 'od -c' on the binary (was hoping to catch a look at what data was being passed to the particular calls, like gethostbyname, etc...

    Might look around in there and see if you can kind a packed address that it is trying to connect to...

    0167100 W S A F D I s S e t \0 \0 5 \0 a c
    0167120 c e p t \0 \0 \0 \0 6 \0 b i n d \0 \0
    0167140 7 \0 c l o s e s o c k e t \0 \0 \0
    0167160 8 \0 c o n n e c t \0 \0 \0 ; \0 g e
    0167200 t h o s t b y n a m e \0 E \0 h t
    0167220 o n l \0 F \0 h t o n s \0 G \0 i n
    0167240 e t _ a d d r \0 J \0 i o c t l s
    0167260 o c k e t \0 \0 \0 K \0 l i s t e n
    0167300 \0 \0 \0 \0 O \0 r e c v \0 \0 T \0 s e
    0167320 l e c t \0 \0 \0 \0 U \0 s e n d \0 \0
    0167340 Z \0 s o c k e t \0 \0 \0 \0 j \0 C o
    Anyone brave enough to try pulling this up in a debugger? I'd be real curious to know what
    was at those memory blocks...I get the feeling it may be some kind of a trojan, or even a worm ... dunno, like I said, wish I had more time to play with it

    EDIT: Since I don't really have time to mess with it, I submitted to securityresponse@symantec. I will post any feedback I get from them.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #12
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Hey all - this 100% sounds like the newer version of the CWS trojan. Try to kill it by running CWShredder in safe mode. The file name is random I believe and will mutate if overly harassed. Here's what the experts are recomending:

    1) Boot into safe mode
    2) Run HijackThis but don't check anything to be fixed yet
    3) Run CWShredder (make sure you have the newest version!!)
    4) In HijackThis select the offending file and "fix" it.


    Your problem should have cleared up by then. Good luck!

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Otherwise Disturb,

    Boot into safe mode and go into the "immunise" bit of SpyBot S&D............check the boxes to protect your hompage and IE settings.

    It just might work?

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    next CWShredder.. it errored half way through and closed out..
    we tried CWShredder after renaming the file.. and no detection..

    here is a copy of his HJT log BEFORE we moved and renamed the file:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:06:58 PM, on 14/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Telstra\Toolbar\bpumTray.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ScannerU\AM32.exe
    C:\Program Files\keyexp\KEYEXP.EXE
    C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Downloads\HijackThis.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kingsofchaos.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kingsofchaos.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.kingsofchaos.com/"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XX-RENAMED-XX\Application Data\Mozilla\Profiles\default\mtl86eg6.slt\prefs.js)
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
    O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...034.0635532407
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab

    NOTE: Changed the UserNAme to XX-RENAMED-XX:

    It seems that Flashget has the Istbar parasites, not sure about the Av he is using as well..

    HE Claims that it is a week since any new software has been installled.. If that log was mine there would be a few removals, I never liked Incredimail after Yaha walked straight past AVG and NAV (5 machines), and yet machines I tested that were using OL or OLEXP the email scann stopped the bug..

    HAve also submitted the file to Symantec..

    It seemed just renaming the file in safemode was enough to stop activity..

    And please PLEASE If you decide to play with these files,:
    DONT do it on a production Machine (ie one that it will take dayes to recover and or you don't want to lose valuable data)
    DO so on a TEst machine that is not connected to a Network.
    And if something goes wrong.. you are prepared for the worst

    NExt time I do this sort of a post I will remember to post the above warning..

    Work is calling..

    Cheers guys.. and thanks to those who have had a look
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #15
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    well, I did run it through what I had for scanners and nothing comes up.. I tried w32dasm, and when I try and open it.. w32dasm shuts down but it very well could be related to the problems I have with this box..

    meeeeeee, you've seen evidence (or posts somewhere) with CWS's install/run files being random ? hmmmm.. well, it does look like it should be submitted to a number of places.
    I think I may take a fresh hard drive, install an os.. put registryprot on it and then try running the file to see what entries it tries to throw in the registry.. maybe let it infect a bit as well.

    as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.

    193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws


    edit : we posted at around the same time..

    kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?

  6. #16
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Undies:

    NExt time I do this sort of a post I will remember to post the above warning..
    I'm going to make a "Catch comment" here......

    Bollocks, (that's my own unique interpretation.... ), let them learn!!!! You don't go up and slap a Lion in the face simply because "it's just a big pussy cat" do you? If they are here to learn security then they will learn more from the mistakes they make than they will listening to old farts reminiscing about how (l)user A screwed up their system by some little piece of stupidity. Pain, (in the format c: category), taught me a lot of what I know..... There's a lot of good advice here about how to "play" with "funny stuff'..... they should probably read more before they start messing with stuff the clearly don't understand.....

    Thats my story.... and I'm sticking to it.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #17
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    351
    sounds like a worm to me. that string set reveals a few things:
    send - possibly to send itself
    socket - to open a Windows socket
    CoCreateInstance - create another instance of itself
    GetSystemDirectoryA - why would it want system directory and temp directory? infection?
    GetTempPathA
    OpenMutexA - creates a mutex everytime it runs, like MSBlaster, so as not to waste time reinfecting a mchine. if it has the mutex, move on.
    Sleep - wait to check if theres an available internet connection
    wsock32.dll - needed for internet connection
    RegCreateKeyExA
    RegCloseKey
    RegOpenKeyExA
    RegQueryValueExA
    RegSetValueExA
    All of the registry keys are to assist in starting the prog upon system boot.
    It looks like a typical worm, but with a couple of treats for your pleasure. I believe there may be a trojan attached, and malicious intent for your data. Submit it to Symantec, and someone should open this in a debugger, I have a test box to mess with tonight, so I can dig around a bit. It doesn't have internet, so it shouldn't be too bad.
    Geek isn't just a four-letter word; it's a six-figure income.

  8. #18
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    (to tiger and others about the warning)

    yeah.. but he DID warn everyone in his first post.. that was enough in my book..

  9. #19
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    [i] as far as I know, these are the known sites that are connected with CWS.. so Und3ertak3r, or disturb.. see if any of these are found in the registry/ IE's start page.

    193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws




    kingsofchaos.com.... huh ? that's just a game.. so it's not a hijacker ?
    [/B]
    I dont know what i was thinking opening that

    now im realy going to sound stupid :how do i do this

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Disturb: This is the basis of your problem.... You ran something with no monitor on it that was probably going to do "bad" things and now you don't know what to do.....

    At this point you need to use regedit to search for every individual string sumdum put up there and if they come up examine the entry and chose to delete it or not....

    Your problem... sorry... silly move in the first place.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides