Unofficial Message Board Home of Steve Wood
0 Members and 1 Guest are viewing this topic.
How much RAM do you have?How much available hard drive space?When was the last time Windows was reinstalled?What version of Windows? (XP, Vista, etc)
If that damned Liz Vicious gave me the clap...
Quote from: "SuperSix @ Fri Dec 19, 2008 6:05 am"How much RAM do you have?How much available hard drive space?When was the last time Windows was reinstalled?What version of Windows? (XP, Vista, etc)It's XP...and how does one reinstall?Last night I swept out all the cookies, browser history and the like but it didn't seem to help any. If that damned Liz Vicious gave me the clap...
Hello??? Didn't I ask the same fucking question? That's ok, it's only me..
Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements . It is known to be installed by visiting a Web site link contained in a spammed email.Trojan.Vundo consists of the following components: HTML code that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515)A downloader componentAdwareA DLL module that is installed by the adwareThe HTML code exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515) and attempts to download and execute the file C:\bla.exe, from the following domain:[http://]83.149.86.132/mins[REMOVED]The above file is the downloader component of the Trojan. Virtual memory may be degraded when the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515) is being exploited. Once executed, the Trojan creates an .exe file with a file name that it is constructed from the following strings: abr av anti ac acc ad ap as bin bas bak cab cat cmd com cr c drv db disk dll dns dos doc dvd eula exp fax font ftp hard iis img inet info ip java kb key lib log main ms mc mfc mp3 msvc net nut odbc ole pc ps play ras reg run sys srv svr svc s tapi tcp task un url util vb vga vss xml wave web w win wms The Trojan may then save and execute the above file in any of the following folders:%Windir%\addins%Windir%\AppPatch %Windir%\assembly %Windir%\Config %Windir%\Cursors %Windir%\Driver Cache%Windir%\Drivers%Windir%\Fonts %Windir%\Help %Windir%\inf %Windir%\java %Windir%\Microsoft.NET %Windir%\msagent %Windir%\Registration %Windir%\repair %Windir%\security %Windir%\ServicePackFiles %Windir%\Speech %Windir%\system %Windir%\system32 %Windir%\Tasks %Windir%\Web %Windir%\Windows Update Setup Files%Windir%\MicrosoftThe Trojan then deletes the following registry entry:HKEY_CURRENT_U SER\Software\Microsoft\Windows\CurrentVersion\Runonce\"*MS Setup"Next, the Trojan creates the following registry entries:HKEY_CURRENT_U SER\Software\Microsoft\Windows\CurrentVersion\Runonce\"*WinLogon" = "[TROJAN FULL PATH FILE NAME] ren time:[RANDOM NUMBER]"HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID\"[DEFAULT VALUE]" = "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID\"[DEFAULT VALUE]" = "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"*[TROJAN FILE NAME]" = "[TROJAN FULL PATH FILE NAME] rerun"The Trojan then creates the following registry subkeys:HKEY_CURRENT_U SER\Software\Microsoft\Internet Explorer\Main\Active StateHKEY_LOCAL_MAC HINE\SOFTWARE\Classes\CLSID\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\CLSID\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNetHKEY_LOCAL_MAC HINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}HKEY_CLASSES_R OOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\DPCUpdater.DPCUpdaterHKEY_LOCAL_MAC HINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater.1HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}The Trojan creates the following registry entries only if it is executed with "rerun" parameters and the system was started in Normal mode:HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"*[TROJAN FILE NAME]" = "[TROJAN FULL PATH FILE NAME]" HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}HKEY_LOCAL_MAC HINE\SOFTWARE\Classes\IEpl.IEplHKEY_LOCAL_MAC HINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSIDHKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\serviceHKEY_USERS\S-1-5-21-1328679652-1783376204-1452689933-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03}If the system was started in Safe mode, the Trojan ends itself and then restarts itself without any parameters.The Trojan then attempts to download and execute a file from the following domain:[http://]62.4.84.41/mmdo[REMOVED]The above file is an adware module with an embedded DLL component. Next, the Trojan drops the embedded DLL as the following file:%Temp%\[REVERSED TROJAN FILE NAME].datThe Trojan injects the embedded DLL into the address space of several running processes. The Trojan also creates the following temporary files: [REVERSED TROJAN FILE NAME].bak1[REVERSED TROJAN FILE NAME].bak2[REVERSED TROJAN FILE NAME].iniThe Trojan displays advertisements on the compromised computer. The Trojan will restart the adware component if it detects that the adware has stopped running.The Trojan will recreate the original file with system and hidden attributes, if the Trojan file name is changed. The Trojan appears to store the following URL list and may attempt to send HTTP requests to one of the following IP addresses:62.4.84.5362.4.84.56The Trojan may also drop the following file:%ProgramFiles%\system32\vundo.dllRecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilitie s are not patched. If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources. For further information on the terms used in this document, please refer to the Security Response glossary. Writeup By: David Curran
