RE: New Trojan?

• Previous message: Nelson Santos: "Re: Port 80 open without WebServer"
• In reply to: vrsnet_at_pandora.be: "Re: New Trojan?"
• Next in thread: efrén serrano: "Use logs from nmap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vrsnet@pandora.be>, <security-basics@securityfocus.com>
Date: Thu, 1 Jul 2004 10:41:58 -0700

> 1)Check your host file %windir%\system32\drivers\etc\hosts
> and lmhost.sam

  The 'hosts.sam' and 'lmhosts.sam' files are SAMples, included
with the OS, of what live content in a 'hosts' or 'lmhosts' file
could look like. DO NOT bother checking the .sam versions of
these files, since the OS ignores them!

David Gillett

> -----Original Message-----
> From: vrsnet@pandora.be [mailto:vrsnet@pandora.be]
> Sent: Saturday, November 20, 2004 3:54 PM
> To: security-basics@securityfocus.com
> Subject: Re: New Trojan?
>
>
> 1)Check your host file %windir%\system32\drivers\etc\hosts
> and lmhost.sam
> 2)If that doesn't help do a search in the windir for files
> !containing! the
> url (best option is to search for netidentity.com)
> These will be mostly like this: hjkfqshkfjqh.xxx
> Then use wholockme or foundstone tools or filemonitor to
> find out wich
> programs run or use these files.
> success
>
> ----- Original Message -----
> From: "Jeff" <Jeff@Not_A_Real_Address.com.telenet-ops.be>
> To: <security-basics@securityfocus.com>
> Sent: Monday, June 28, 2004 8:14 PM
> Subject: New Trojan?
>
>
> > PLEASE READ ... I feel violated and need much help, if not for
> > the PC, for my nerves.
> >
> > The PC is a WinXP box, fully patched, routinely checked with
> > Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> > use Thunderbird 0.6 and Firefox 0.8. All other family members
> > run Thunderbird on this box. IE6 has not bee removed but is
> > fully patched.
> >
> > Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> > is running. (I purposely purchased the licenses at work for
> > our home users also so that they WOULD stay up to date -- a
> > practice I learned from Sprint a long, long time ago.)
> >
> > I use a Netgear FVS318 to interface to my Verizon DSL account.
> >
> > The events as they happened.
> >
> > 1. My son read his email via the web. It included e-cards.
> > He read them. Doesn't remember where they took him, nor
> > does he remember if he used IE6 or Firefox.
> >
> > 2. Long screaming session about things TO do and things NOT
> > to do while on the internet. 278th time. Disabled his account.
> >
> > 3. Mis-typing a URL will now take me automatically to
> > www.netidentity.com with the mistaken URL clearly
> > identified inside. Identical results on IE6 and Firefox.
> > Java and Javascript are disabled on Firefox. I leave IE6
> > alone because I use it when I absolutely must go to some
> > bogus activex site, oh, and windowsupdate. But I don't use
> > it otherwise. I always use Firefox.
> >
> > URLs that caused this include: mapblast, mapquest, abc, def
> > ... through xyz.
> >
> > Please note: I had typed "mapblast" but had hit Enter rather
> > than Ctrl-Enter, by mistake. The URLs entered are literally
> > those listed, just the word.
> >
> > They are then transformed to http://mapblast/
> >
> > 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> > updates and the entire system was scanned. Nothing found.
> >
> > ** My immediate thought was that Network Solutions was up to thier
> > ** old tricks with it's Site Finder business. A quick check of
> > ** another PC in the house eliminated that.
> >
> > 5. I checked my syslogs and NULL routed the IP address being used
> > to access www.netidentity.com. The same page comes up sans the
> > graphics and the flash. The web page is still there though, just
> > looking sad. Another check of the syslogs brings up 64.15.175.5
> > as generating the pages, an open proxy.
> >
> > 6. Also ran HiJackThis and went through ALL of the items on it.
> > Nada. Couldn't find the IP addresses or domain names in the
> > registry. I also ran them in reverse notation. Nada.
> >
> > 7. Checked my network settings to make certain that some new DNS
> > server wasn't stuck in. Nope, still set to use the Netgear box.
> > Put 4 different DNS servers in -- still get that stupid site.
> >
> > 8. That was all at lunchtime. Haven't had a chance to run netstat
> > or Ethereal to gain any additional clues.
> >
> > ZOIKS!!!
> >
> > The PC is off. But NOT knowing what is going on is driving
> me insane.
> >
> > So while I <ahem> work this afternoon, I thought I would see if any
> > of this sounds, smells or <insert fav sense here) like anything that
> > anyone has seen before!
> >
> > Jeff
> >
> >
> >
> >
> --------------------------------------------------------------
> ------------
> -
> > Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545 off
> > any course! All of our class sizes are guaranteed to be 10
> students or
> less
> > to facilitate one-on-one interaction with one of our expert
> instructors.
> > Attend a course taught by an expert instructor with years
> of in-the-field
> > pen testing experience in our state of the art hacking lab.
> Master the
> skills
> > of an Ethical Hacker to better assess the security of your
> organization.
> > Visit us at:
> >
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------

--
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Nelson Santos: "Re: Port 80 open without WebServer"
• In reply to: vrsnet_at_pandora.be: "Re: New Trojan?"
• Next in thread: efrén serrano: "Use logs from nmap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]