lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <df43a47b04092918425869dc19@mail.gmail.com>
From: jthibeault at gmail.com (Jason Thibeault)
Subject: Spyware? Worm? Trojan? "face license free bait"

This would be the newest version of LOP, a nice piece of spyware that
present Spybot S&D signature files don't recognize.  You probably got
it (like a few others at my workplace) by installing Messenger Plus! 3
and agreeing to the EULA that it presents.  Here's a hint -- that EULA
isn't for Messenger Plus!, but rather for C2Media's "sponsor program".
As soon as I'm done the draft for a quick dissection I just completed
earlier this afternoon, I'll post it in reply to this thread.


On Wed, 29 Sep 2004 10:39:31 -0700 (PDT), Harlan Carvey
<keydet89@...oo.com> wrote:
> Wow.  English aside, I have no idea where to
> start...there are so many questions that need to be
> asked for clarification on this that I don't know
> whether to sh*t or go blind!
> 
> > I found something VERY VERY STRANGE on my computer
> > last evening...
> 
> Yeah, so did I...the user!  ;-)
> 
> Okay, here's an excerpt from the email...
> 
> > While writing this lines I found two another shit
> > directories :'(
> >
> > C:\PROGRA~1\Corn Internet Soft
> >
> > Filename        Size    CRC-32
> > C5EDFC35        1060    92EE5B2C  [set as system
> > files]
> > cemaylou.exe        272966    70370FFB (other name
> > it has taken :
> > nxkkxpjy.exe, greyend.exe, metapoll.exe)
> > HOLE NAME.exe        240663    A2325E7C
> > logduperoad.exe        9970    25C7A91D
> > seek barb regs win.exe    47616    D41BE72E (other
> > name it has taken :
> > batbodypokeextra.exe)
> >
> >
> > C:\PROGRA~1\upload admin bind
> >
> > Filename        Size    CRC-32
> > DELETE PLAY.exe        15526    95665A33
> >
> > And I'm unable to delete any of these files !! They
> > are not displayed in
> > taskmgr, and :
> >
> > --
> > PsKill v1.03 - local and remote process killer
> > Copyright (C) 2000 Mark Russinovich
> > http://www.sysinternals.com
> >
> > Unable to kill process cemaylou.exe:
> > Process does not exist.
> > --
> 
> Okay, so you found cemaylou.exe in a directory...what
> made you think that it was a process?  Just b/c you
> can't delete them, what makes you think that they
> *would* appear in TaskManager?
> 
> > I've tried to sniff all these exe names using tools
> > from SysInternals
> > but I can't find any of these o_o !!
> 
> Are you referring to FileMon and RegMon?  Again...just
> b/c you can't delete the files, why do you think they
> are running?
> 
> > What the hell is going on on my computer ?? Is Big
> > Brother watching me ? =)
> 
> Yes, I am.  Feel free to disconnect the power to your
> computer, disconnect all other cables, and throw the
> system in the trash.  After watching you for a while,
> I've had enough fun...that thing you did the other
> night was funnier than "America's Funniest Home
> Videos" and "COPs" put together.
> 
> > Thank you very much indeed for your help.. and sorry
> > for my really bad english.
> 
> It isn't your English that's the problem, dude...it's
> all the Jolt cola you've been drinking, and that other
> thing you did that time in that place...
> 
> =====
> ------------------------------------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ