RE: New Trojan?

• Previous message: Jeff: "re: New Trojan? -- GOT IT"
• Maybe in reply to: Rivera Alonso, David: "RE: New Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <security-basics@securityfocus.com>
Date: Wed, 30 Jun 2004 18:13:24 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If it is a CoolWebSearch variant - they might not be able to get to
the merijn website. It can block access. You can download a scanner
and removal tool - CWS Shredder - at
http://www.lurkhere.com/~nicefiles/ It is a download mirror for the
merijn website.

Steven Hess

- -----Original Message-----
From: Brian Lund [mailto:brianlund@gmail.com]
Sent: Tuesday, June 29, 2004 2:48 PM
To: security-basics@securityfocus.com
Subject: Re: New Trojan?

On further reflection, this sounds a lot like Cool Web Search, a
really annoying piece of spyware with many variants that is very fond
of redirecting you to search pages and the like. If it is a new
variant, it's unique in the fact that it effects Firefox as well, my
guess is it's a Windows instead of IE thing, but you never know.

If it would help at all, check out the folloing page about CWS,
http://www.spywareinfo.com/~merijn/cwschronicles.html...and good
luck, it's a bugger to get rid of.

On Mon, 28 Jun 2004 15:14:38 -0400, Jeff
<jeff@not_a_real_address.com> wrote:
>
> PLEASE READ ... I feel violated and need much help, if not for the
> PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with Spybot
> 1.3 and AdAware 6. I run SpywareBlaster as well. I also use
> Thunderbird 0.6 and Firefox 0.8. All other family members run
> Thunderbird on this box. IE6 has not bee removed but is fully
> patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is
> running. (I purposely purchased the licenses at work for our home
> users also so that they WOULD stay up to date -- a practice I
> learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though,
> just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me
> insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything
> that anyone has seen before!
>
> Jeff
>
> --------------------------------------------------------------------
> -- -----
> Ethical Hacking at the InfoSec Institute. Mention this ad and get
> $545 off any course! All of our class sizes are guaranteed to be 10
> students or less to facilitate one-on-one interaction with one of
> our expert instructors. Attend a course taught by an expert
> instructor with years of in-the-field pen testing experience in our
> state of the art hacking lab. Master the skills of an Ethical
> Hacker to better assess the security of your organization. Visit us
> at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> l
> --------------------------------------------------------------------
> --------
>
>

- --
Brian Lund
PGP Key ID: A18C0BA8 (1024/2048 | DSA/ELG)
PGP Fingerprint: F358 F84F 0219 5F2D 66BC C416 7BA8 7925 A18C 0BA8

- ----------------------------------------------------------------------
- -----
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off
any course! All of our class sizes are guaranteed to be 10 students
or less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master
the skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQOM7AyIuNDPeTcEfEQLSCgCcCmmf4ai6tzdaxZPHZQN2WgRv01cAmgNI
UYFDrkYsmGxEA3Mtum/P1Kql
=zh91
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Jeff: "re: New Trojan? -- GOT IT"
• Maybe in reply to: Rivera Alonso, David: "RE: New Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]