Help me investigate trojan from 206.58.237.248
Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Help me investigate trojan from 206.58.237.248

  1. #1
    Junior Member
    Join Date
    Oct 2004
    Posts
    14

    Question Help me investigate trojan from 206.58.237.248

    A while ago, I started noticing strange behavior in Internet Explorer. Whenever I did a search with Google, my search results would be modified to include extra links that I know Google would not return. When using View Source, as I suspected, the extra links were not in the HTML source.

    I ran my AV and several spyware programs, which weren't able to detect anything wrong. So then I started to look for suspicious processes running and found one - kbdus.exe (probably random filename). I found the program in my System directory, and determined it to be the Win32/SillyDl trojan. I then did a search with another AV program that detects this trojan, eTrust, and found a copy of SillyDl.AT in my Temporary Internet Files called 77_156_i.abc.

    I checked the date that this file was created and searched my computer for other files created on the same date. I found two files, both called "update", in my Temporary Internet Files. When reading these files, the contents of the first one is "none" and the other reads "dl=http://206.58.237.248/content/77_156_i.abc". Apparently, the DNS for this IP corresponds to update.requestlookup.net.

    I guessing it's some kind of rogue search engine. However, I am suspicious that SillyDl is not the only trojan on my computer and it may have dropped some other trojans, backdoors or spyware into my system. I'd like to find out what. I'd also like to know exactly how this trojan got on my system. I assume it was some Windows/IE exploit, but I system should have all the recent MS patches on it.

    Anyone familiar with this, or have any suggestions?

  2. #2
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    here is what symantec says about this virus (which they call download.trojan):

    http://securityresponse.symantec.com...ad.trojan.html

    just as a reccomendation to you, i would switch to using firefox and also i would make sure your virus protection is updated...
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  3. #3
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Yeah, my virus protection was updated when I did the scan.

    According to Symantec:
    Download.Trojan does the following:

    Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
    After the Trojan downloads the files, it executes them.
    What I'd like to know is what it downloaded and executed on my system.

  4. #4
    You're right, you've probably got bigger problems, I'd advise that you do a harder clean of your system. It will eliminate the possibility of any malware that is known to the vendors. After that, if you still have problems, let us know and we can help you out.

    Follow this doc:
    http://www.antionline.com/attachment...achmentid=4913

    Make sure you follow the steps accurately, especially when it explains updating.

    [off topic]
    If anyone has any problems with me practically whoring this link, let me know. I've noticed myself linking it a lot more, I don't want anyone to think it's spamming. I think it's a good walkthrough, and I have had a lot of success with the non-malware literate. If anyone has any edit ideas for it, I'll be glad to make those changes.
    [/offtopic]

  5. #5
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Well, as I mentioned in the first post, I've done pretty much everything in that list. I hacen't tried scanning my system in Safe Mode yet, but I somehow doubt it'll turn up anything new. Still, I'll give it a shot.

  6. #6
    The reason safe mode is different from booting up normally, is because it forces Windows to boot up bare bones. The reason malware is able to escape scanners, is because it is running code to avoid them. By booting up in safe mode, or going even further and using a boot disc, you are able to scan the files when they aren't being executed. There is a chance that you're infections are not handled by the vendors, I do see that happening more and more often (especially w/ hijackers).

    We will be able to handle whatever malware you have, it's just that we don't want to spend our time working on something that is handled by a malware signature. It's safer to let a scanner do it, than to have us work on it manually.

    Good luck, malware rarely escapes safe mode!

  7. #7
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Yeah, I know.

    Even in Safe Mode with the latest definitions, I don't think I've found what I'm looking for.

    Search & Destroy found nothing. AdAware found a CAB file with SyncroAdX.dll in it, but I don't think this is infecting my system. My AV found Worm/Rbot.LD.1 (in prompt[1].htm) and JS/MediaTickets.B (in mtrslib2[1].js) but I've looked at both of these, and I don't think that they infected my system either.

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    what are you using as a virus scanning program??
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  9. #9
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Switching to firefox, though a good idea won't fix this in my opinion. We have been noticing a lot of the download.trojan coming through emails actually embedded in the messages. Get some decent AV and spyware removal. ClamAV on linux picks this up and cleans it out great.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    ClamAV on linux picks this up and cleans it out great.
    Wouldn't that suggest that he use Linux then instead of Windows? Given that he is a home user (general assumption on my part based on the first post) this may not be a practical option. Perhaps it would be better to suggest using a non-IE based browser and an email program that users can disable HTML rendering in emails received (I would imagine Thunderbird or Eudora having these capabilities) amongst the other standard programs (AV, spyware, process listers, hijack listers, etc) that would be needed.

    As for detecting trojans, one of the ol' standbys might help TheCleaner. I have found that it finds many trojans that AVs tend to miss.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides