Bugtraq mailing list archives

Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Wed, 14 Mar 2007 21:32:22 +0100

Among other things (password stealer), this BHO has backdoor and
"botnet" capabilities, implementing several remote commands:
+ upload
+ run
+ update
...


Yeah, I love the KILLWINANDREBOOT command, which will basically delete
NTLDR and NTDETECT.COM before rebooting Windows ...

Watch out for unexpected http traffic containing
commandack.php,mailwab.php..


Embedded URLs are :
http://58.65.234.73/~mjakson
http://58.65.234.73/~mjakson/mail.php
http://58.65.234.73/~mjakson/newuser.php
http://58.65.234.73/~mjakson/commandack.php
http://58.65.234.73/~mjakson/mailwab.php
http://58.65.234.73/~mjakson/command.php
http://58.65.234.73/~mjakson/upload.php

You can also easily guess the following URL :
http://58.65.234.73/~mjakson/admin.php

Best course of action for sysadmins would be to block at least this IP.

The site seems to be hosted in a server farm near Hong Kong.
On March, 14th at 20:00 GMT the site was still up and running.

Very nice piece of malware indeed ...

Regards,
- Nicolas RUFF

Current thread:

Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Thierry Zoller (Mar 13)
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Gadi Evron (Mar 13)
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Reversemode (Mar 13)
  - Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Nicolas RUFF (Mar 15)