[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1939 - 2 msgs

From: RMueller (randallm_at_fidmail.com)
Date: 09/29/04

  • Next message: Sune Kloppenborg Jeppesen: "[Full-Disclosure] [ GLSA 200409-35 ] Subversion: Metadata information leak" 
    To: full-disclosure@lists.netsys.com
Date: Wed, 29 Sep 2004 14:17:51 -0500

    hi,
    First, there are no files there on the upload site. Second, it sucks to be
    you right now! :) I googled and searched for everything I could think of and
    found nothing. Do you have anything that will let you know if a program
    attempt to connect out???

     --__--__--
     
     Message: 2
     Date: Wed, 29 Sep 2004 17:37:28 +0200
     From: "eNs!feRuM*" <ensiferum@hispeed.ch>
     To: full-disclosure@lists.netsys.com
     Subject: [Full-Disclosure] Spyware? Worm? Trojan? "face license free bait"
     
     Hello the list !
     
     I found something VERY VERY STRANGE on my computer last evening...
     While looking for spywares on my computer using HijackThis, I saw this
     strange line :
     
     O4 - HKLM\..\Run: [Free Bait Cool Dash] C:\Documents and Settings\All
     Users\Application Data\face license free bait\GREYSEND.exe
     
     Here is the content of "face license free bait" :
     
     - a locked file (unable to delete it!!) called "locksadminbash", size :
     3536, crc32 : 6A65964A, set as "system file" and of type "Driver" (how
     could an extension-less file be recognized by Windows as a "driver" ?!?!)
     - two locked programs called "GREYSEND.EXE" and "METAPOLL.EXE", same
     size : 272966, same crc32 : 70370FFB
     
     Yesterday evening, when I first saw this directory, there was another
     file called "HOLE NAME.EXE" in the same directory (and METAPOLL), same
     size, and I could delete it.
     
     
     While writing this lines I found two another *** directories :'(
     
     C:\PROGRA~1\Corn Internet Soft
     
     Filename Size CRC-32
     C5EDFC35 1060 92EE5B2C [set as system files]
     cemaylou.exe 272966 70370FFB (other name it has taken :
     nxkkxpjy.exe, greyend.exe, metapoll.exe)
     HOLE NAME.exe 240663 A2325E7C
     logduperoad.exe 9970 25C7A91D
     seek barb regs win.exe 47616 D41BE72E (other name it has taken :
     batbodypokeextra.exe)
     
     
     C:\PROGRA~1\upload admin bind
     
     Filename Size CRC-32
     DELETE PLAY.exe 15526 95665A33
     
     And I'm unable to delete any of these files !! They are not displayed in
     taskmgr, and :
     
     --
     PsKill v1.03 - local and remote process killer
     Copyright (C) 2000 Mark Russinovich
     http://www.sysinternals.com
     
     Unable to kill process cemaylou.exe:
     Process does not exist.
     --
     
     I've tried to sniff all these exe names using tools from SysInternals
     but I can't find any of these o_o !!
     
     Here is a list of all the word-parts that this "thing" uses" :
     
     face, license, free, bait, grey, send, locks, admin, bash, meta, poll,
     hole, name, cemaylou (single word?), log, dupe, road, seek, barb, regs,
     win, upload, bind, delete, play, corn, internet, soft, cool, dash, bat,
     body, poke, extra.
     
     
     What the hell is going on on my computer ?? Is Big Brother watching me ? =)
     
     I've uploaded these files on:
     
     http://swun.free/helpplease/
     
     Thank you very much indeed for your help.. and sorry for my really bad
     english.
     
     ++ eNs!feRuM*
     
     
     
     --__--__--
     

     
    thanks
    Randall

    ___________________________________________________________
    Fidelity Communications Webmail - http://webmail.fidnet.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Sune Kloppenborg Jeppesen: "[Full-Disclosure] [ GLSA 200409-35 ] Subversion: Metadata information leak"