Re: I was rooted (but am Ok now)
FromTheRafters
"Manatee Memories" <S...@the.REPLYTO.entry> wrote in message
news:plhl3512qlf8l265p...@4ax.com...
>
> Seems a somewhat nasty bug (named "SKYNET", believe it or not) dumped
> a
> bunch of nasty-bits into various system-dir's (Win XP, SP-2)
> here-abouts. Well, I only _really_ found out about "it" when *finally*
> getting around to running AVG's old "AVG Anti-Rootkit Beta"
> (1.1.0.42),
> and, after the requisite reboot, all was peachy clean.
>
> Anyone else run into this "SKYNET" (*very* heavy into
> browser-redirects,
> especially when going thru Google, in my recent experience)
> nasty-bit/thing?
Is it this thing?
http://www.symantec.com/security_response/writeup.jsp?docid=2007-052211-3537-99&tabid=2
FromTheRafters
> Manatee Memories wrote:
>>(*very* heavy into browser-redirects,
>>especially when going thru Google, in my recent experience)
>
> and could it have removed them?
I read somewhere that it stops HJT's process. That wouldn't surprise me,
especially if this is a most recent variant.
FromTheRafters
> On Fri, 19 Jun 2009 07:44:02 -0400, "FromTheRafters"
> <err...@nomail.afraid.org> wrote, by way of
> <h1ftm5$dcu$1...@news.eternal-september.org>, in alt.comp.virus -->::
> blocked, perhaps by Proxomitron?) seemed to point me towards a Chinese
> (.cn) address. Wish I'd made a screen-cap or 3, but cap's were not on
> my
> mind at the time.
>
> 2nd sidenote: I managed to salvage (then archive) 4 of the "deposited"
> files (2 exe's, 1 .ini, and 1 ".glu"). I named the archive,
> appropriately, "POSSIBLE TROJAN - - - 98595996 and 18586004.rar".
> Might
> there be some anti-malware website where I could send said archive for
> storage/analysis?
I usually suggest jotti.org and virustotal.com for scanning small
executable files (not archives).
David H. Lipman
| On Fri, 19 Jun 2009 00:23:23 -0700, ASCII <m...@privacy.net> wrote, by way
| of <4a3b3bbe.379062@EBCDIC>, in alt.comp.virus -->::
>>Manatee Memories wrote:
>>>(*very* heavy into browser-redirects,
>>>especially when going thru Google, in my recent experience)
>>Curious if HJT showed any BHOs
>>and could it have removed them?
| HJT ?
HiJack This!
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David H. Lipman
| On Fri, 19 Jun 2009 07:44:02 -0400, "FromTheRafters"
| <err...@nomail.afraid.org> wrote, by way of
| <h1ftm5$dcu$1...@news.eternal-september.org>, in alt.comp.virus -->::
>>Is it this thing?
>>http://www.symantec.com/security_response/writeup.jsp?docid=2007-052211-3537-99&tabid=2
| Doesn't appear familiar. But, as a sidenote, the redirect (often
| blocked, perhaps by Proxomitron?) seemed to point me towards a Chinese
| (.cn) address. Wish I'd made a screen-cap or 3, but cap's were not on my
| mind at the time.
| 2nd sidenote: I managed to salvage (then archive) 4 of the "deposited"
| files (2 exe's, 1 .ini, and 1 ".glu"). I named the archive,
| appropriately, "POSSIBLE TROJAN - - - 98595996 and 18586004.rar". Might
| there be some anti-malware website where I could send said archive for
| storage/analysis?
Yes.
Plaese upload to MalwareUpload.com
http://www.uploadmalware.com/
When you submit the files. Please mention this thread and that I suggested you submit the
files.
David H. Lipman
| Manatee Memories wrote:
>>On Fri, 19 Jun 2009 00:23:23 -0700, ASCII <m...@privacy.net> wrote, by way
>>of <4a3b3bbe.379062@EBCDIC>, in alt.comp.virus -->::
>>>Manatee Memories wrote:
>>>>(*very* heavy into browser-redirects,
>>>>especially when going thru Google, in my recent experience)
>>>Curious if HJT showed any BHOs
>>>and could it have removed them?
>>HJT ?
| HJT - HiJackThis
| http://tinyurl.com/ahw3kw
| BHO - Browser Hijack Object
| http://tinyurl.com/mdr345
Caution!!!
Be careful what you click on, some inconsiderate folk will provide an obfuscated link so
you have no idea if the link goes to a trusted site or untrusted site.
David H. Lipman
| And _that_ is why _I_ (unlike a great-many others, sad to say) utilize
| the "Preview" feature of TinyURL.com.
The INI file was 0 bytes.
The GLU file was either XOR'd or encrypted. I didn't try to decode it.
The EXE's are FakeAlert-WinwebSecurity basically rogue anti malware related.
I didn't see that they did much more than create...
where _filename_ = the EXE file's name without the extension
18586004.exe
HKLM\software\_filename_\
%windir%\System32\PC_filename_cnf
%windir%\System32\PC_filename_ins
98595996.exe
%ALLUSERSPROFILE%\Application Data\_filename_.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_filename_ = _filename_.exe
Mutex:
AV32$ADW
David H. Lipman
| Would you care for (either via the website, or here; it's only 14 lines)
| a file from the AVG anti-rootkit prog named "results.txt"?
Sure...
Post its contents.
Anonymous
"ASCII" <m...@privacy.net> wrote in message news:4a3c5664.1588109@EBCDIC...
> David H. Lipman wrote:
>>
>>Caution!!!
>>Be careful what you click on, some inconsiderate folk will provide an obfuscated link so
>>you have no idea if the link goes to a trusted site or untrusted site.
>
> untrusted site, but at least you get to read whatever loads instead of
> being faced with an executable.
You're a fucking idiot pal. David Lipman excretes more brains in his
shit than you have in your whole body. Fuck off.
David H. Lipman
| On Sat, 20 Jun 2009 00:13:23 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote, by way of
| <qoqdndkuNaZ__KHX...@giganews.com>, in alt.comp.virus -->::
>>From: "Manatee Memories" <S...@the.REPLYTO.entry>
>>| Would you care for (either via the website, or here; it's only 14 lines)
>>| a file from the AVG anti-rootkit prog named "results.txt"?
>>Sure...
>>Post its contents.
| Please see below.
| Path: c:\temp.\asp\images Description: Hidden DirectoryPath:
| c:\temp.\bus_cent\web Description: Hidden DirectoryPath:
| c:\temp.\bus_cent\web\images Description: Hidden DirectoryPath:
| c:\temp.\web\images Description: Hidden DirectoryPath:
| c:\temp.\asp\images Description: Hidden DirectoryPath:
| c:\temp.\bus_cent\web Description: Hidden DirectoryPath:
| c:\temp.\bus_cent\web\images Description: Hidden DirectoryPath:
| c:\temp.\web\images Description: Hidden DirectoryPath:
| C:\WINDOWS\system32\drivers\SKYNETtirevpwm.sys Description: Hidden
| driver filePath: C:\WINDOWS\system32\drivers\SKYNETtirevpwm.sys
| Description: Hidden FilePath: C:\WINDOWS\system32\SKYNETexmpfqpa.dll
| Description: Hidden FilePath: C:\WINDOWS\system32\SKYNETixltjuxd.dll
| Description: Hidden FilePath: C:\WINDOWS\system32\SKYNETvghxvgtk.dat
| Description: Hidden FilePath: C:\WINDOWS\temp\SKYNETenqepykack.tmp
| Description: Hidden FilePath: C:\WINDOWS\temp\SKYNETikbamxiwya.tmp
| Description: Hidden FilePath: C:\WINDOWS\temp\SKYNETpxusipftex.tmp
| Description: Hidden FilePath: C:\WINDOWS\temp\SKYNETrjkinuface.tmp
| Description: Hidden File
This was a Skynet TDSserv RootKit variant.
Presumably there might be a %windir%\system32\SKYNETinit.dll file
Besides SKYNET, MSIVX and UAC are prefixes as well.
FromTheRafters
news:4a3c5664.1588109@EBCDIC...
> David H. Lipman wrote:
>>
>>Be careful what you click on, some inconsiderate folk will provide an
>>obfuscated link so
>>you have no idea if the link goes to a trusted site or untrusted site.
>
> untrusted site, but at least you get to read whatever loads instead of
> being faced with an executable.
Even if the url is completely legitimate (and trusted) - it could still
lead you to malware. You are taking your chances either way. I wouldn't
have reservations about clicking on either of those links. Reasonable
defensive measures and a good recovery plan give you peace of mind.
David H. Lipman
>>This was a Skynet TDSserv RootKit variant.
>>Presumably there might be a %windir%\system32\SKYNETinit.dll file
| File (SKYNETinit.dll) not found (checked/scanned for +H +S attrib's).
>>Besides SKYNET, MSIVX and UAC are prefixes as well.
| Oh *drat* :-(
You may want to look for any residuals; %windir%\system32\SKYNET*.*
(checking/scanned for +H +S attrib's).
Nomen Nescio
"ASCII" <m...@privacy.net> mouthfarted:
> Anonymous wrote:
>>David Lipman excretes more brains in his
>>shit than you have in your whole body.
>
You are the poster boy of conceited Australian fucktards. Your
continual attempts to scorn and belittle your betters spotlight
your own inferiority. Sensible alt.comp.virus readers recognize
you as just another know-it-all Internet gobshite.
Go fuck a Kangaroo, then go fuck yourself. (Be sure to obtain
prior permission from your butthole friend TheApostle or he
may become jealous and refuse to spank you again.)
David H. Lipman
| On Sat, 20 Jun 2009 22:18:29 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote, by way of
| <Q4WdnSTsW9rrBaDX...@giganews.com>, in alt.comp.virus -->::
>>From: "Manatee Memories" <S...@the.REPLYTO.entry>
>>>>This was a Skynet TDSserv RootKit variant.
>>>>Presumably there might be a %windir%\system32\SKYNETinit.dll file
>>| File (SKYNETinit.dll) not found (checked/scanned for +H +S attrib's).
>>>>Besides SKYNET, MSIVX and UAC are prefixes as well.
>>| Oh *drat* :-(
>>You may want to look for any residuals; %windir%\system32\SKYNET*.*
>>(checking/scanned for +H +S attrib's).
| David, you are (or, *should* be) a National Treasure.
| Four (names below) files found:
| SKYNETtirevpwm.sy_
| SKYNETexmpfqpa.dl_
| SKYNETixltjuxd.dl_
| SKYNETvghxvgtk.da_
| The first 3 are dated 18 June 2009 @ 14:04, while the 4th file is timed
| @ 17:04. All files have _only_ the +A attrib set. In addition, the first
| file is in the %windir%\system32\drivers directory.
| I am deleting the 4 files.
| --
| "Cap'n, we've secretly replaced their dilithium crystals with
| new Folgers crystals. Now let's watch them go to warp."
I hope you have also done a full scan of the PC with an anti virus software.
FromTheRafters
news:QaGdnW_mvKT2sqPX...@giganews.com...
...and with the archive attribute set - be sure you didn't back them up.
FromTheRafters
news:4pvt35134nghppfft...@4ax.com...
> On Sun, 21 Jun 2009 19:46:58 -0400, "FromTheRafters"
> <err...@nomail.afraid.org> wrote, by way of
> <h1mgpk$cd6$1...@news.eternal-september.org>, in alt.comp.virus -->::
>>> software.
>>
>>...and with the archive attribute set - be sure you didn't back them
>>up.
>
Just thought it worth mentioning.
...and archived programs *can* be dangerous.
David H. Lipman
| David, when I said "National Treasure", I was _not_ doing so from a
| point of cynicism/sucking up/kissing you-know/*whatever*. I _meant_ what
| I said, said what I meant, and will stand by it all, 100%" (with
| apologies to Dr. Suess <g>).
:-)
David H. Lipman
Here's an installer...
http://www.threatexpert.com/report.aspx?md5=43df4569fcb4ecfa9ed88a4b95af6bf7
David H. Lipman
| On Tue, 23 Jun 2009 16:57:31 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote, by way of
| <VqOdnXnGHcMg3NzX...@giganews.com>, in alt.comp.virus -->::
>>From: "Manatee Memories" <S...@the.REPLYTO.entry>
>>Here's an installer...
>>http://www.virustotal.com/analisis/
>>e39973448b43f1efd68c6adbb8d13afa536eaf111dd61917a1e51a8723c5f25f-1245790369
>>http://www.threatexpert.com/report.aspx?md5=43df4569fcb4ecfa9ed88a4b95af6bf7
| Ouch. Any idea how to delete some (all?) of those newly-created
| malicious registry values?
Anti rootkit like Gmer.
I believe you used AVG Anti-Rootkit Beta.
David H. Lipman
>>Anti rootkit like Gmer.
>>I believe you used AVG Anti-Rootkit Beta.
| The AVG app detected _nothing_, other than what's been pasted/posted to
| this thread. I haven't tried Gmer in a while.
| Well, in any case, I ran Regedit, found several "SKYNET*" entries, tore
| out some more hair creating various permissions, then deleted away.
| Re-ran regedit-search on "SKYNET", found nothing, & life was good (:::
| crosses fingers :::).
Gmer would have done well. The ONLY caveat is to rename it.
I recently had a UAC TDSserv variant on a PC given to me to clean and I renamed GMER.EXE
to LIPPY.COM :-)
1PW
> Gmer would have done well. The ONLY caveat is to rename it.
At <http://www.gmer.net/#files> you now have the option to download
GMER with a randomized executable filename. Kinda nifty.
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
David H. Lipman
| On Tue, 23 Jun 2009 22:39:51 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote, by way of
| <uMydnc3NwZJhDNzX...@giganews.com>, in alt.comp.virus -->::
>>From: "Manatee Memories" <S...@the.REPLYTO.entry>
>>>>Anti rootkit like Gmer.
>>>>I believe you used AVG Anti-Rootkit Beta.
>>| The AVG app detected _nothing_, other than what's been pasted/posted to
>>| this thread. I haven't tried Gmer in a while.
>>| Well, in any case, I ran Regedit, found several "SKYNET*" entries, tore
>>| out some more hair creating various permissions, then deleted away.
>>| Re-ran regedit-search on "SKYNET", found nothing, & life was good (:::
>>| crosses fingers :::).
>>Gmer would have done well. The ONLY caveat is to rename it.
>>I recently had a UAC TDSserv variant on a PC given to me to clean and I renamed
>>GMER.EXE
>>to LIPPY.COM :-)
| Your box didn't complain when re-extensioning a *.exe to *.com ?
No more than indicating if I was sure I wanted to do that.
David H. Lipman
| David H. Lipman wrote:
>> Gmer would have done well. The ONLY caveat is to rename it.
| At <http://www.gmer.net/#files> you now have the option to download
| GMER with a randomized executable filename. Kinda nifty.
Yes.
However I hold a copy on a CF memory card and keeping it GMER.EXE allows me to know what
it is. If I stored a random named file it is harder to know what it is.
Etal
>
> Plaese upload to MalwareUpload.com
> http://www.uploadmalware.com/
>
Dyslecksic moment?
I have not visited *either* site yet, but with so many bad people
trying to phish using sites with links/names very similar to good
ones. Would be unfortunate if the _name_ of the site really is
the inverse of the _URL_ they use.
> When you submit the files. Please mention this thread and
> that I suggested you submit the files.
>
Is this site not for everyone to use at any time?
--
Nah-ah. I'm staying out of this. ... Now, here's my opinion.
Please followup in the newsgroup.
E-mail address is invalid due to spam-control.
David H. Lipman
| On Wed, 24 Jun 2009 06:16:08 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote, by way of
| <AaCdnVNG7o52YdzX...@giganews.com>, in alt.comp.virus -->::
>>From: "1PW" <barcrna...@nby.pbz>
>>| David H. Lipman wrote:
>>>> Gmer would have done well. The ONLY caveat is to rename it.
>>| At <http://www.gmer.net/#files> you now have the option to download
>>| GMER with a randomized executable filename. Kinda nifty.
>>Yes.
>>However I hold a copy on a CF memory card and keeping it GMER.EXE allows me to know
>>what
>>it is. If I stored a random named file it is harder to know what it is.
| Not neccessarily so. Even with the random filename, the GMER icon
| remains the same :-)
Not with a .COM extension. No icon.
David H. Lipman
| David H. Lipman wrote:
>> Plaese upload to MalwareUpload.com
>> http://www.uploadmalware.com/
| Dyslecksic moment?
| I have not visited *either* site yet, but with so many bad people
| trying to phish using sites with links/names very similar to good
| ones. Would be unfortunate if the _name_ of the site really is
| the inverse of the _URL_ they use.
>> When you submit the files. Please mention this thread and
>> that I suggested you submit the files.
| Is this site not for everyone to use at any time?
You asked "Dyslecksic moment?"
LOL -- Yes !
UploadMalware.Com is available to ALL to upload malware to get their samples distributed
to all the listed anti malware vendors.
I stated... "When you submit the files. Please mention this thread and that I suggested
you submit the files."
To help flag the post so I can tell which of the many submissions was that of "Manatee
Memories".
All submissions are encouraged.
Etal
> | David H. Lipman wrote:
>
>
>>> http://www.uploadmalware.com/
>
> UploadMalware.Com is available to ALL to upload malware to get
> their samples distributed to all the listed anti malware
> vendors.
>
> I stated... "When you submit the files. Please mention this
> thread and that I suggested you submit the files."
>
> To help flag the post so I can tell which of the many
> submissions was that of "Manatee Memories".
>
> All submissions are encouraged.
>
Thanks for the clarifications.
David H. Lipman
| David H. Lipman wrote:
>> | David H. Lipman wrote:
>>>> http://www.uploadmalware.com/
>> UploadMalware.Com is available to ALL to upload malware to get
>> their samples distributed to all the listed anti malware
>> vendors.
>> I stated... "When you submit the files. Please mention this
>> thread and that I suggested you submit the files."
>> To help flag the post so I can tell which of the many
>> submissions was that of "Manatee Memories".
>> All submissions are encouraged.
| Thanks for the clarifications.
Thanx for taking an interest :-)
noauth
"Manatee Memories" wrote:
>
> Ah :-(
Only an imbecile quotes an entire poast just to add "Ah :-("
You should be rooted up the arse until your nose bleeds.
Go and poast in alt.usenet.kooks with the other bandwidth
wasting fuckwits.