-
April 18th, 2005, 08:19 AM
#11
Junior Member
> I’m complaining about false advertising (which yes, I know is the point of a Trojan in the first >place).
hehe man dont be a gay ,u can run ethereal , and check is that program contains any hidden think or not , what u mean by false advertising ?,it just displayes the PS ,that is all wont do any other thinks ,
-
April 18th, 2005, 01:09 PM
#12
Interesting ....
When downloading this file Trend detects Troj_Prostor.A
When searching Trend's site for that ( or variations thereof ) I got NO hits.
But the link that the AV discloses ( TROJ_PROSTOR.A ) says
TROJ_PROSTOR.A is a Trojan horse program, a malware that has no capability to spread into other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.
It might just use similar ( or stolen ) code? I think more in-depth research would be needed to determine whether it is malicious or not, which I do not have time to do ( and probably don't have the ability either ).
As far as br0nd goes .... Yes, I negged him!
br0nd, You may ( or may not ) be the admin of that site, and when you are there you can do as you or the admin wishes, but when you are here keep your skiddie language and attitude to yourself!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
April 18th, 2005, 01:17 PM
#13
My thoughts exactly IKnowNot. Here is what Symantec had to say about what it detected:
PWSteal.Refest does the following when it is executed:
1. Creates a dll file in the %System% directory. This file has a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.
Note: %System% is a variable. The Trojan locates the System folder and creates a dll in that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Installs the dll as a Browser Helper Object, so that it is loaded every time Internet Explorer starts. To do this, it creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random clsid>}
and sets the value
(Default) = %System%\<random name>.dll
in the registry key
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}\InProcServer32.
The {<random clsid>} is a random value of the form, {########-####-####-####-############}, for example, {380b99b4-5f7d-7791-b8ef-499d848499e6}.
3. The dll monitors outgoing https connections to the following websites:
o .anz.com
o .bendigobank.com.au
o .citibank.com
o .citibank.de
o .commbank.com.au
o .dab-bank.com
o .deutsche-bank.de
o .e-gold.com
o .hsbc.com.au
o .hsbc.com.hk
o .online-banking.standardchartered.com.hk
o .sparkasse-banking.de
o .stgeorge.com.au
o banking.lbbw.de
o banking.mashreqbank.com
o banknetpower.net
o barclays.co.uk
o cd.citibank.co.ae
o cibconline.cibc.com
o citibank.com.au
o dit-online.de
o easyweb.tdcanadatrust.com
o ebank.uae.hsbc.com
o ekocbank.kocbank.com.tr
o hercules.pamukbank.com.tr
o internetsube.akbank.com.tr
o lloydstsb.co.uk
o national.com.au
o nbd.ae
o online-banking.standardchartered.ae
o online.nbad.com
o pbg1.edc.citiaccess.com
o standardchartered.com
o suncorpmetway.com.au
o westpac.com.au
o www.alahlionline.com
o www.almubasher.com.sa
o www.arabi-online.com
o www.cbdonline.ae
o www.citibank.com.hk
o www.dahsing.com
o www.ebank.iba.com.hk
o www.privatebank.citibank.com.sg
o www.sabbnet.com
o www.samba.com
o www.scotiaonline.scotiabank.com
o www.unb.com
o www1.bmo.com
o www1.royalbank.com
4. When Internet Explorer makes an HTTP POST request to one of these domains (for example, when the user submits a web form at a bank site), the Trojan also sends the information to a cgi script at www.refestltd.com.
If I can get time and a test box together I can test it with a sniffer, but in the mean time I think I'll take Semantec's word over a l33t 5p3@king sci99tk177y.
-
April 18th, 2005, 01:43 PM
#14
Junior Member
ok sorry for my bad language, well i can say only this ,the PS explorer u downloded from that site didnt contans any malware ,it wont drop any thinks
also the source of that program is avilable on my articile at codeproject
http://www.thecodeproject.com/tools/HirPStorage.asp
compile it and symantec will say the same i hope
heheh ,so now what u guys think ??
-
April 18th, 2005, 02:27 PM
#15
The code looks legit, but I don’t have VC6 on a box yet so I have not compiled it. For those that do not wish to register with thecodeproject.com I’ve attached the source to this post.
-
April 18th, 2005, 02:59 PM
#16
Guys, when you build it make sure you set the active configuration to Release so you don’t get the error about __imp__InitCommonControls@0
The binary I compiled does not set off Symantec and it works fine. I’ll attach it to this post.
However, the two exes in http://www.elitec0ders.net/ps1.0.zip both report as trojans:
Ps.exe reports as: PWSteal.Tarno
Psgui.exe reports as: PWSteal.Refest
So something seems to be up with that.
-
April 18th, 2005, 04:21 PM
#17
Junior Member
compiled code detected as trojan
[Click for User Profile] antifumo 2:35 2 Dec '04
Nice... McAfee VirusScan 7 detects the compiled software as a virus! (but only if compiled in release mode)
http://www.thecodeproject.com/tools/...672#xx985672xx
well i dont know what happened to semantec now ,but just understand this , AV detcting the trojans ,backdoors by looking ther signatures , i mean the strings in the exe or some part of code, well i didnt think ther is point for arguing on this issue , the exe u downloaded is in ur hand , and u just need to run one sniffer , and check ,it wont take much time ,just 5 min ,
or u can use filemon , and see if it is droping any file on pc,
5 min testing is more valuable than arguing and blaming others like this ,
so,take out the network plug ,and just test . and if u see anything happening on sniffer , then blame me , i will accept , what u r saying
-
April 18th, 2005, 04:39 PM
#18
Well, clearly the source you linked to is not the same as the binaries on your site. If I get the time to set up at test system I may find out more, but I’m not running those binaries on any off my current systems. The version I compiled works fine, thanks for the source. By the way, what is your native language?
-
April 18th, 2005, 04:46 PM
#19
br0nd, have you checked your code to see if someone has not tampered with it ?
-
April 18th, 2005, 04:55 PM
#20
Junior Member
yes source is same ,and nobody changed it , the think is the source at codeproject contains icon ,and the exe downloaded from elitecoders is compiled without icon (i deleted icon for making exe small),
just adding one icon is enough for making one exe undetactable from AV hehe
try compiling in relese mode deleting the icon ,may be the AV will detect ,
english is not my native language ,hehe ,my english sucks
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|