Security Basics mailing list archives
RE: New Trojan?
From: "Steven Hess" <shess () tampabay rr com>
Date: Wed, 30 Jun 2004 18:13:24 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If it is a CoolWebSearch variant - they might not be able to get to the merijn website. It can block access. You can download a scanner and removal tool - CWS Shredder - at http://www.lurkhere.com/~nicefiles/ It is a download mirror for the merijn website. Steven Hess - -----Original Message----- From: Brian Lund [mailto:brianlund () gmail com] Sent: Tuesday, June 29, 2004 2:48 PM To: security-basics () securityfocus com Subject: Re: New Trojan? On further reflection, this sounds a lot like Cool Web Search, a really annoying piece of spyware with many variants that is very fond of redirecting you to search pages and the like. If it is a new variant, it's unique in the fact that it effects Firefox as well, my guess is it's a Windows instead of IE thing, but you never know. If it would help at all, check out the folloing page about CWS, http://www.spywareinfo.com/~merijn/cwschronicles.html...and good luck, it's a bugger to get rid of. On Mon, 28 Jun 2004 15:14:38 -0400, Jeff <jeff@not_a_real_address.com> wrote:
PLEASE READ ... I feel violated and need much help, if not for the
PC, for my nerves.
The PC is a WinXP box, fully patched, routinely checked with Spybot
1.3 and AdAware 6. I run SpywareBlaster as well. I also use
Thunderbird 0.6 and Firefox 0.8. All other family members run
Thunderbird on this box. IE6 has not bee removed but is fully
patched.
Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is
running. (I purposely purchased the licenses at work for our home
users also so that they WOULD stay up to date -- a practice I
learned from Sprint a long, long time ago.)
I use a Netgear FVS318 to interface to my Verizon DSL account.
The events as they happened.
1. My son read his email via the web. It included e-cards.
He read them. Doesn't remember where they took him, nor
does he remember if he used IE6 or Firefox.
2. Long screaming session about things TO do and things NOT
to do while on the internet. 278th time. Disabled his account.
3. Mis-typing a URL will now take me automatically to
www.netidentity.com with the mistaken URL clearly
identified inside. Identical results on IE6 and Firefox.
Java and Javascript are disabled on Firefox. I leave IE6
alone because I use it when I absolutely must go to some
bogus activex site, oh, and windowsupdate. But I don't use
it otherwise. I always use Firefox.
URLs that caused this include: mapblast, mapquest, abc, def
... through xyz.
Please note: I had typed "mapblast" but had hit Enter rather
than Ctrl-Enter, by mistake. The URLs entered are literally
those listed, just the word.
They are then transformed to http://mapblast/
4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
updates and the entire system was scanned. Nothing found.
** My immediate thought was that Network Solutions was up to thier
** old tricks with it's Site Finder business. A quick check of
** another PC in the house eliminated that.
5. I checked my syslogs and NULL routed the IP address being used
to access www.netidentity.com. The same page comes up sans the
graphics and the flash. The web page is still there though,
just
looking sad. Another check of the syslogs brings up 64.15.175.5
as generating the pages, an open proxy.
6. Also ran HiJackThis and went through ALL of the items on it.
Nada. Couldn't find the IP addresses or domain names in the
registry. I also ran them in reverse notation. Nada.
7. Checked my network settings to make certain that some new DNS
server wasn't stuck in. Nope, still set to use the Netgear box.
Put 4 different DNS servers in -- still get that stupid site.
8. That was all at lunchtime. Haven't had a chance to run netstat
or Ethereal to gain any additional clues.
ZOIKS!!!
The PC is off. But NOT knowing what is going on is driving me
insane.
So while I <ahem> work this afternoon, I thought I would see if any
of this sounds, smells or <insert fav sense here) like anything
that anyone has seen before!
Jeff
--------------------------------------------------------------------
-- -----
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off any course! All of our class sizes are guaranteed to be 10
students or less to facilitate one-on-one interaction with one of
our expert instructors. Attend a course taught by an expert
instructor with years of in-the-field pen testing experience in our
state of the art hacking lab. Master the skills of an Ethical
Hacker to better assess the security of your organization. Visit us
at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
l
--------------------------------------------------------------------
--------
- -- Brian Lund PGP Key ID: A18C0BA8 (1024/2048 | DSA/ELG) PGP Fingerprint: F358 F84F 0219 5F2D 66BC C416 7BA8 7925 A18C 0BA8 - ---------------------------------------------------------------------- - ----- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQOM7AyIuNDPeTcEfEQLSCgCcCmmf4ai6tzdaxZPHZQN2WgRv01cAmgNI UYFDrkYsmGxEA3Mtum/P1Kql =zh91 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: New Trojan?, (continued)
- Re: New Trojan? vrsnet (Jul 01)
- RE: New Trojan? David Gillett (Jul 01)
- Use logs from nmap efrén serrano (Jul 05)
- Re: Use logs from nmap Spurge (Jul 06)
- Re: New Trojan? Zoran Perkov (Jul 01)
- RE: New Trojan? Lauren Ward (Jul 01)
- Re: New Trojan? Michael Painter (Jul 01)
- Re: New Trojan? Greg Bur (Jul 01)
- Re: New Trojan? FLEXITI GmbH (Jul 01)
- re: New Trojan? Jeff (Jul 01)
- RE: New Trojan? Steven Hess (Jul 01)
- RE: New Trojan? Raj (Jul 01)
- Re: New Trojan? vrsnet (Jul 01)