Monday, October 9, 2006

New experience

Hi guys!
I experienced Trojan/Spy first time in my life. When I was chatting with my friends, I got an instance message saying “We have a party tonight. Please join with us. Click this for more information: http:/ /” from one of my friends ID. I accidentally clicked on it. My computer infected with a Trojan svhost32.exe.

1. The homepage in the IE is changed to "".
2. Every time I log into yahoo messenger it is automatically sending out messages to all the names in the friends list with the link ......."check this link".
3. My MSN nickname changed to “Jeyaram –”.
4. Registry editor is disabled.
5. Task manager is disabled.
6. The options in the IE - Tools- Internet options - general tab- use blank, use current, use default options disabled.
7. Whenever I open MSN/Yahoo messenger, some box type windows open and close.
8. My computer all the way got stacked.
9. When I click on anywhere, a small menu displayed.
10. Screen shot button didn’t work.
11. I have run the ewido avg anti spy ware and could not find anything. I have ZA and AVG antivirus installed. Also, when I am not connected to the net, I get a pop up message “Program trying to access, which connection to use.”

If you got the same problem, start the computer in safe mode and system restore turned off. And run your anti-spy program. Now I recommend “Ad-Aware SE Personal”. Or use yahoo anti-spy. Yahoo anti-spy is very simple and efficient program. Yahoo anti-spy won’t work for this Trojan, if you don’t update.
Download Yahoo! Anti-spy!!
Is the Trojan/Spy gone and the computer is safe now??
Is it safe to use the yahoo messenger now (without sending the unwanted links to the friends list)?????

If you get any messages like this; be carefully.

  • oh my god , I've won a 20000 used lottery . Come to my house tonight for a party !! ><
  • have you ever seen such a silly man like this ? )
  • Now you can avoid some critical online viruses by updating Windows . Click here to know how to Update your Windows : <<
  • Breaking news : Mr G.Bush's son is kidnapped by terrorists !!! !!
I don’t know!! Please post your comments. If you know any thing more about this spy post that also as comment.

Well opening drops svchost.exe and svchost32.exe (made in VB and UPXed) in ur windows directory.
If you open the page in mozilla / opera, its full of adbrite ads.
It can be considered a good case of social engineering by bgohil7@yahoo. com
as he wrote as a link in his post. Reading this post many woulr open up and get infected if they use IE.
nice one dude.
Some details that i figured out :
it uses msinet.ocx and web browser control for communicating with websites or downloading more file.
the programmer of this malware has these folders -
E:\Lucky\My Document\Visual basic 6.0\Downloader\
the VB project was saved as termex.vbp
it also drops taskkill.exe in windows\system32 folder
taskkill is used by program to end programs like Antiviruses etc.
It kills all anti trojan and anti virus tools.
makes a script c:\killav.bat to kill antiviruses
It accesses where the malware writer will put commands or url from which trojan would update itself.
Its spreading well -
besides it disables taskmgr and regedit too
it accesses and probably autoclicks ads
the Module1.bas has subroutines like KillAV() and Killenemy()
it downloads which is renamed as svchost32.exe
also downloads
the malware author also has registered the domain
I think the malware should be named "Termex" as far as the programmer wished.
I will post more if i find about this. We can easily nab this criminal as he left the names of websites/domains he bought.
more coming soon
happy hacking
Spyware, Adware, Trojans, Malware, Dialers, Popups Scanners:
Online Scanners:
Spyware, Adware, Trojans, Malware, Dialers, Popups Scanner Lists:
Antivirus Lists:
Firewall Lists:
IP Blocker:
Email, News, RSS:
System Cleaner:
System Cleaning List:
System Info:
Thanks: Yahoo! answers

No comments:

Post a Comment