Todays file/IP harvest involves a site called proffy209 which automatically downloads a whole pile of files without any prompts or warnings.. *boom* you are now a hijacked spambot

It's actually a fairly similar hijack to this one I ran earlier , but on a bit smaller scale:
http://www.bluetack.co.uk/forums/index.php?showtopic=13510


As always , please dont follow any of the links unless you are a nutter and you want to make your computer generally unusable ..


Trojan-Proxy.Win32.Lager turns the infected machines into zombie machines which can be used to deliver spam and launch denial of service attacks.
http://research.sunbelt-software.com/threa...;threatid=44348

Trojan.Abwiz.F
http://www.sarc.com/avcenter/venc/data/trojan.abwiz.f.html

W32/Small.AVT!tr.dldr
http://www.fortinet.com/VirusEncyclopedia/...&fid=229604


-------------------------------------

Main Programs used for monitoring :

-------------------------------------

VMWare guest OS:

Outpost 4.0
Processguard Free 3.405
System Safety Monitor Free 2.0.8.578
Regrun 4.60
Gmer

Host OS :
Outpost 3.51 with HTTP logger plugin


============================================

Main visual evidence of the hijack, popping up every 30 seconds or so [ damn annoying it is too ] :



=========================================

:: Identified Malware + Related Files ::

*****************************
SYSTEM
*****************************
2240_28.dll
dlh9jkdq2.exe
dlh9jkdq5.exe
dlh9jkdq6.exe
dlh9jkdq7.exe
dlh9jkdq8.exe
ipod.raw.exe
kernels8.exe
kernels8.rar
svcp.csv
taskdir.dll
taskdir.exe
taskdir~.exe
vx.tll
vxgame1.exe
vxgame2.exe
vxgamet2.exe
winsub.xml
zlbw.dll
-----------------------------
-----------------------------
*****************************
*****************************
WINDOWS
*****************************
desktop.html
xpupdate.exe
-----------------------------
-----------------------------
*****************************
*****************************
C:\ ROOT
*****************************
-----------------------------
lo1642915714.exe
-----------------------------
-----------------------------
*****************************

+ Program Files\Bravesentry

+ these files :

criiavuu.exe
win32.exe
2236.exe
scane.exe
nmruvasv.exe
maxdd1.game
temp_365218.bat
temp_20780109.bat
vx1.game
vx2.game
vx3.game
vx4.game
vx6.game
vxt1.game
vxt2.game
vxt3.game
vxt4.game
ipod.raw
count.htm
sploit.anr
1 through to 7.dlb files

+ lots more random files in TEMP / Temporary Internet Files Folders


Bat file contents :





============================

Some of the registry keys abused , these are the original keys/ values before modification:

============================
-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

DisableTaskMgr 0

-

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Search Bar

http://search.msn.com/spbasic.htm

-

Search Page

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableRegistryTools 0
DisableTaskMgr 0
NoColorChoice 0
NoDispAppearancePage 0
NoDispBackgroundPage 0
NoDispCPL 0
NoDispScrSavPage 0
NoDispSettingsPage 0
NoSizeChoice 0
NoVisualStyleChoice 0

-


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


NoActiveDesktopChanges 0

-

========================================================

:: HijackThis log ::

C:\WINDOWS\System32\kernels8.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\taskdir.exe
C:\WINDOWS\System32\dlh9jkdq2.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\System32\2240_28.dll


Registry Run Entries :

windows update loader = C:\windows\xpupdate.exe
taskdir = system32\taskdir.exe
system = system32\kernels8.exe


============================================

:: Hijack sequence ::

============================================

First file to load in the system is this :


















Yes thats the taskmanager being killed off :











Still more files :















Outbound connection attempts logged by Outpost :

























Processguard in action :




There goes the desktop , now its all completely white






---------------------------------------------------------------------------------------


windows/system32/2240_28.dll loaded into rundll32.exe -





memory strings output of this file reveals a large amount of country codes , email providers addresses , mail to / mail from entries and a collection of hosts file entries for blocking most of the antivirus companies among many other things..

============================================

:: Connections / Files logged ::

============================================

/proffy209.com/

/adv/052/win32.exe
/adv/052/sploit.anr
/adv/052/count.jar

/adv/052/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=notoutpost&table=adv52

/test.php?adv=52&code1=IOKK&code2=2282
/pic/search.jpg
/pic/winlogon.jpg
/pic/tibs.jpg
/pic/tool.jpg
/pic/proxy.jpg

.download.bravesentry.com/download.php?&advid=00000278&u=0&p=15659288

/test.php?adv=52&code1=IOKK&code2=2282
/dl/adv52.php?adv=52&code1=IOKK&code2=2282&code3=3/3A6B257C072!BT

/adv/052/sploit.anr
/vxgame1/vxv.php
/vxgame1/zgame1.exe
/vxgame1/zgame2.exe
/vxgame1/zgame3.exe
/vxgame1/zgame4.exe
/vxgame1/zgame5.exe

85.255.114.166/gdnOT2584.exe

/tool1/ztool1.exe
/tool1/ztool2.exe
/tool1/ztool3.exe
/tool1/ztool4.exe

count.hitscount.net/updinst/krab03/count.php
count.hitscount.net/updinst/krab03/2236.exe

81.177.3.175/cntr.php?b=:6:6&c=5151&d=5
81.177.3.175/images/ipod.raw
81.177.3.175/cntr.php?e=!!16671339_5_0_1_1&x=4:3;4&y=28192

217.107.217.177/cp/rule.php?fstt=1&b=53&w=back&name=SPYWARE-HUNTER&v=1&13
217.107.217.177/cp/rule.php?gcu=1&5636
217.107.217.177/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&1933

81.177.26.20/cp/bin/scane.exe
85.255.114.166/gdnOT2584.exe
81.177.26.20/cp/bin/lim
81.177.3.175/cntr.php?f=;22
81.177.26.20/1.jpg

217.107.217.177/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&8088
81.177.26.20/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&5850
81.177.26.21/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&3503
205.209.179.107/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&8960
81.177.3.175/cntr.php?f=3:24
217.107.217.177/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&8229
81.177.26.20/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&7466
81.177.26.21/sp/post.php
81.177.3.175/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&1742
81.177.26.21/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&8590
85.255.114.166/gdnOT2584.exe
205.209.179.107/cp/rule.php?name=SPYWARE-HUNTER_53&b=53&w=back&v=1&7105
81.177.26.20/cp/bin/lim

============================================

Question : Does Bravesentry suck ?

Answer : YES !

Of course this junk comes from Atrivotech / Intercage the worlds leading malware network based in good old San Francisco USA .. who else would give criminals like this a great deal to launch their hijacks from without fear of being kicked off the network.






Award winning my ass.. they get my award for being annoying and totally crap.