Re: New Trojan?
From: Brad Germany (b.germany_at_mchsi.com)
Date: 06/30/04
- Previous message: Chris Moody: "RE: Which Windows OS is Safest (fwd)"
- Maybe in reply to: Okiwaso: "Re: New Trojan?"
- Next in thread: nee cee: "Re: New Trojan?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Tue, 29 Jun 2004 22:49:56 -0500
Since you've gone to this much effort it sounds like you've probably checked
your hosts file in <OS drive:\windows\system32\drivers\etc\ directory, but
you didn't write it down as having done that so I'm suggesting that if you
haven't that you do.
Brad
----- Original Message -----
From: "Jeff" <Jeff@Not_A_Real_Address.com>
To: <security-basics@securityfocus.com>
Sent: Monday, June 28, 2004 14:14
Subject: New Trojan?
> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff
>
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
-- > --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Chris Moody: "RE: Which Windows OS is Safest (fwd)"
- Maybe in reply to: Okiwaso: "Re: New Trojan?"
- Next in thread: nee cee: "Re: New Trojan?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
