| Page 1 of 1 |
[sYn]
[Moderator] Elitist
Posts: 8374
|
 Posted: Sat, 1st Nov 2008 03:07 Post subject: Newsgroup Spam - Virus? |
|
 |
Soo.. Its late, I wasn't paying attention and bam, I go an run what seems to be a virus on my machine.
Recently a large number of files similar to the one shown below have been uploaded to newsgroups, does anyone know what they actually are?
[08733/16719] - "Max_Payne_RS_UP_FREE_DOWNLOADER.rar" yEnc 8.9 KB
It was something along these lines that I installed, despite the virus scan being clean, process explorer showing nothing and no newly added startup scripts/programs.. I'm concerned.
Thoughts?
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 04:09 Post subject: |
|
|
Gay, after some hex editing I found that its a password stealer made by codesoft.
it does the following..
| Quote: |
Steal Settings:
PW Messanger Packet Status
MSN Messenger
Windows Messenger
Yahoo Messenger (Version 5.x und 6.x)
Google Talk
ICQ Lite 4.x/5.x/2003
ICQ 6 (Bugfixed seit v0.50)
AOL Instand Messenger/Netscape 7
Trilian
Miranda
GAIM
PW Mail Packet
Outlook Express
Microsoft Outlook 2000/XP/2003/2007
IncrediMail
Mozilla Thunderbird
Netscape 6.x/7.x
Group Mail Free, Gmail
Yahoo Mail
MSN Messenger
Hotmail / MSN Mail
Eudora
Protected Storage PW Packet
Outlook Passwords
Auto Completet password in IE
Password protected sites in IE
MSN Explorer Passwords
Firefox PW Packet
Firefox Version 1.x passwords
Firefox Version 2.x passwords
Firefox Version 3.x passwords (Hinzugefügt seit v0.50)
Network PW Packet
Dial-Up passwords (Internet and VPN)
Loginp passwords of remote computers
Passwords from Exchangemailboxen
IE7: Password-protected Web sites
Remotedesktop passworts (ab Version 6.0)
FTP PW Packet
CoreFTP passworts
Quick ‘n Easy FTP passworts
FlashFXP 3.x passwords
Filezilla Client 3.x password
Broker FTP client
FTP Control password
Ipswitch Ws FTP client passworts
Steam PW Packet
Steam Username
Steam Password
Game Key Stealer (Erweitert seit v0.50)
Battlefield 1942:
Battlefield 1942 Secret Weapons Of WWII:
Battlefield 1942 The Road To Rome:
Battlefield Vietnam:
Black and White:
Call of Duty:
Call of Duty 2:
Call of Duty 4:
Crysis
Chrome:
Command and Conquer Generals:
Command and Conquer Generals: Zero Hour:
Command and Conquer Red Alert 2:
Command and Conquer Red Alert:
Command and Conquer Tiberian Sun:
Command and Conquer 3 Kanes Wrath:
Counter-Strike:
FarCry:
FIFA 2002:
FIFA 2003:
FIFA 2004:
Freedom Force:
Global Operations:
Gunman Chronicles:
Half-Life:
Hidden and Dangerous 2:
IGI2: Covert Strike:
Industry Giant 2:
James Bond 007 Nightfire:
Legends of Might and Magic:
Microsoft Windows 2000/XP Key’s
Microsoft Office 2000 / XP / 2003 / 2007 Produkte Key’s
Medal of Honor Allied Assault:
Medal of Honor Allied Assault: Breakthrough:
Medal of Honor Allied Assault: Spearhead:
Nascar Racing 2002:
Nascar Racing 2003:
NBA LIVE 2003:
NBA LIVE 2004:
Need For Speed Hot Pursuit 2:
Need For Speed Underground:
NHL 2002:
NHL 2003:
NHL 2004:
NOX
Rainbow Six III RavenShield:
Shogun Total War Warlord Edition:
Soldiers Of Anarchy:
The Gladiators:
The Sims Deluxe:
The Sims Hot Date:
The Sims House Party:
The Sims Livin’ Large:
The Sims Superstar:
The Sims Unleashed:
The Sims Vacation:
The Sims:
Unreal Tournament 2003:
Unreal Tournament 2004:
Neverwinter Nights (Shadows of Undrentide):
The Gladiators:
Freedom Force:
Security Settings:
Attribut Changer
Hidde files
Read only files
System files
Archived files
Encrypted files
[+] Sandbox Detection
[+] Kapersky Detection
[+] Kapersky Killer
[+] Virtual PC & Vmware Detection
[+] Anti Anubis
[+] Melt Stub
[+] Crypt FTP/Mail Settings
[+] Crypt PW File
Spreading Settings: (Hinzugefügt seit v0.50)
[+] MSN Spreading
[+] AIM5 Spreading
[+] USB Spreading
Peer2Peer Spreading
Über kazaa
Über edonkey2000
Über bearshare
Über emule
Über limewire
Main Settings:
[+] FTP Upload ink Check Funktion
[+] Mail Versand ink Check Funktion
PW Viewer:
[+] Decrypt Singel PW File
[+] Decrypt Multi PW Files
[+] Save PW File
Icon Changer:
[+] Supports *.ico & *.exe
[+] 18 auswählbare Icons
Custom Zeugs:
[+] Builder
[+] Save & Load Settings vom Builder
[+] About
|
I am not happy.. although I'm unsure if the version I was hit with even works on Vista! So I may find I'm ok.. Going to change all my passwords and re-install just to be sure!
|
|
| Back to top |
|
|
Lutzifer
Modzilla
Posts: 12740
Location: ____________________ **** vegan zombie **** GRRAAIIINNSS _______
|
| Posted: Sat, 1st Nov 2008 04:21 Post subject: |
|
|
wow, that really sucks O_O
|
|
| Back to top |
|
|
zipfero
Posts: 8938
Location: White Shaft
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 04:31 Post subject: |
|
|
Yeah I'm pretty pissed off! Even more pissed off that Steam wont let me change my god damn password without logging back onto my computer thats fucking infected.. stupid thing..
Don't you worry though, I'll find the person who done it and get some revenge..
|
|
| Back to top |
|
|
Lutzifer
Modzilla
Posts: 12740
Location: ____________________ **** vegan zombie **** GRRAAIIINNSS _______
|
| Posted: Sat, 1st Nov 2008 04:49 Post subject: |
|
|
have you used an tcp-ip-traffic-sniffer to see if it even breached your other computers firewall and got out of your network?
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 15:01 Post subject: |
|
|
| Lutzifer wrote: | | have you used an tcp-ip-traffic-sniffer to see if it even breached your other computers firewall and got out of your network? |
My next step is to firstly re-install the machine. Whilst I don't think the "trojan" is persistent I can't be 100% sure as it might be hiding inside of a process so the best bet is to just kill everything. Once I've done that I'm going to re-install and do some further research into the binary.. If nothing more can be found that way I'll go down the re-running and packet sniffing route to see where the traffic is going and how it is getting there.
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 16:17 Post subject: |
|
|
Got him.. stole his username/pass creds for the FTP that the logs get uploaded too, grabbed them all and deleted them.
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 16:40 Post subject: |
|
|
Mmm.. it seems he got my googlemail, msn, steam and an FTP server password (all of which got changed right away). Also go my COD4 CD Key. Nothing to worry about though as even if he did download the file last night everything was changed right away.
I've emailed his FTP provider informing them of his activities. I will also be keeping an eye on the FTP for the next few days to see if anything else pops up. I'm pretty sure the program isnt persistant now, but I'm going to do a re-install anyway to be sure.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 1st Nov 2008 19:55 Post subject: |
|
|
Ah ok, Did you find the password using a hexeditor or did you sniff it out?
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 1st Nov 2008 23:32 Post subject: |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 1st Nov 2008 23:49 Post subject: |
|
|
| tainted4ever wrote: | | Sounds like a lame trojan, not even packed... |
It must have been if AV software never picked it up?
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Sat, 1st Nov 2008 23:58 Post subject: |
|
|
Nup, AV didn't pick it up. I'm still kicking myself for running the damn thing, I was tired though, it had been a long day. Nano seconds after I had clicked I knew it wasn't what I wanted.. It seems that once every few years I make a mistake like this, in between them I never run into any viruses or issues.. Gah.. Oh well.
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 2nd Nov 2008 00:22 Post subject: |
|
|
| [sYn] wrote: | | Nup, AV didn't pick it up. |
Sounds like he used some sort of packer.. I would run it across virustotal - http://www.virustotal.com/ and see what it picks up.
Normally gives you some additional information to show what its actually packed with.
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 2nd Nov 2008 02:29 Post subject: |
|
|
| DeMoN064 wrote: | | tainted4ever wrote: | | Sounds like a lame trojan, not even packed... |
It must have been if AV software never picked it up? |
AVs these days are shit. They can't pick up jack from the homebrew, and their unpacking engines either flag packed exes as false positives (which fucks up devs and consumers) or fails to unpack exes protected with the default settings of a protector that has been around and studied for years (such as Themida).
Last edited by tainted4ever on Sun, 2nd Nov 2008 02:33; edited 1 time in total
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 2nd Nov 2008 02:30 Post subject: |
|
|
| DeMoN064 wrote: | | [sYn] wrote: | | Nup, AV didn't pick it up. |
Sounds like he used some sort of packer.. I would run it across virustotal - http://www.virustotal.com/ and see what it picks up.
Normally gives you some additional information to show what its actually packed with. |
I don't think it's packed, since syn said he could read the strings when he hex editted the binary...
|
|
| Back to top |
|
|
$en$i
VIP Member
Posts: 3127
|
| Posted: Sun, 2nd Nov 2008 23:15 Post subject: |
|
|
| [sYn] wrote: | | AV didn't pick it up. |
Weird, this is a somewhat old trojan made with unlimited PW stealer. Avast detects it.
|
|
| Back to top |
|
|
| Page 1 of 1 |
All times are GMT + 1 Hour |
! Didn't find anything though. The FTP password has been changed so the guy clearly found out someone had grabbed the files, oh well, his host provider should be riding up his ass soon enough 
