Re: New Trojan?

• Previous message: Lauren Ward: "RE: New Trojan?"
• Maybe in reply to: Okiwaso: "Re: New Trojan?"
• Next in thread: Greg Bur: "Re: New Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <security-basics@securityfocus.com>
Date: Thu, 1 Jul 2004 00:03:53 -1000

In thinking about where your boy may have gone (don't be too hard on him...it really -is- a nasty world out there),
I'd install a program like this:

http://www.definitivesolutions.com/bhodemon.htm

and see what it reports. Might not be a bad idea to leave it running for that matter.

--Michael

----- Original Message -----
From: "Jeff" <Jeff@Not_A_Real_Address.com>
To: <security-basics@securityfocus.com>
Sent: Monday, June 28, 2004 9:14 AM
Subject: New Trojan?

> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Lauren Ward: "RE: New Trojan?"
• Maybe in reply to: Okiwaso: "Re: New Trojan?"
• Next in thread: Greg Bur: "Re: New Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]