[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <df43a47b04092918425869dc19@mail.gmail.com>
From: jthibeault at gmail.com (Jason Thibeault)
Subject: Spyware? Worm? Trojan? "face license free bait"
This would be the newest version of LOP, a nice piece of spyware that
present Spybot S&D signature files don't recognize. You probably got
it (like a few others at my workplace) by installing Messenger Plus! 3
and agreeing to the EULA that it presents. Here's a hint -- that EULA
isn't for Messenger Plus!, but rather for C2Media's "sponsor program".
As soon as I'm done the draft for a quick dissection I just completed
earlier this afternoon, I'll post it in reply to this thread.
On Wed, 29 Sep 2004 10:39:31 -0700 (PDT), Harlan Carvey
<keydet89@...oo.com> wrote:
> Wow. English aside, I have no idea where to
> start...there are so many questions that need to be
> asked for clarification on this that I don't know
> whether to sh*t or go blind!
>
> > I found something VERY VERY STRANGE on my computer
> > last evening...
>
> Yeah, so did I...the user! ;-)
>
> Okay, here's an excerpt from the email...
>
> > While writing this lines I found two another shit
> > directories :'(
> >
> > C:\PROGRA~1\Corn Internet Soft
> >
> > Filename Size CRC-32
> > C5EDFC35 1060 92EE5B2C [set as system
> > files]
> > cemaylou.exe 272966 70370FFB (other name
> > it has taken :
> > nxkkxpjy.exe, greyend.exe, metapoll.exe)
> > HOLE NAME.exe 240663 A2325E7C
> > logduperoad.exe 9970 25C7A91D
> > seek barb regs win.exe 47616 D41BE72E (other
> > name it has taken :
> > batbodypokeextra.exe)
> >
> >
> > C:\PROGRA~1\upload admin bind
> >
> > Filename Size CRC-32
> > DELETE PLAY.exe 15526 95665A33
> >
> > And I'm unable to delete any of these files !! They
> > are not displayed in
> > taskmgr, and :
> >
> > --
> > PsKill v1.03 - local and remote process killer
> > Copyright (C) 2000 Mark Russinovich
> > http://www.sysinternals.com
> >
> > Unable to kill process cemaylou.exe:
> > Process does not exist.
> > --
>
> Okay, so you found cemaylou.exe in a directory...what
> made you think that it was a process? Just b/c you
> can't delete them, what makes you think that they
> *would* appear in TaskManager?
>
> > I've tried to sniff all these exe names using tools
> > from SysInternals
> > but I can't find any of these o_o !!
>
> Are you referring to FileMon and RegMon? Again...just
> b/c you can't delete the files, why do you think they
> are running?
>
> > What the hell is going on on my computer ?? Is Big
> > Brother watching me ? =)
>
> Yes, I am. Feel free to disconnect the power to your
> computer, disconnect all other cables, and throw the
> system in the trash. After watching you for a while,
> I've had enough fun...that thing you did the other
> night was funnier than "America's Funniest Home
> Videos" and "COPs" put together.
>
> > Thank you very much indeed for your help.. and sorry
> > for my really bad english.
>
> It isn't your English that's the problem, dude...it's
> all the Jolt cola you've been drinking, and that other
> thing you did that time in that place...
>
> =====
> ------------------------------------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists