SympleBoy22 Posted January 2, 2010 Report Share Posted January 2, 2010 Si pan' la urma ce face?Keylogger? Quote Link to comment Share on other sites More sharing options...
sonyx Posted January 2, 2010 Report Share Posted January 2, 2010 Virusul se numeste hi5update.exehttp://www.rp-legal.ro/hi5update.exe - L-am scanat cu virustotal doar 3 antivirusuri gasesc ceva suspect Trojan.Mai multe conturi au fost infectate.P.S. : Bine, ca voi nu erai idioti sa downloadati! Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 2, 2010 Author Report Share Posted January 2, 2010 who did this shit? Quote Link to comment Share on other sites More sharing options...
dragosh1904 Posted January 3, 2010 Report Share Posted January 3, 2010 da pai se putea sa nu fi romanii nostri?in fine cam ciudat raportul av cunoscuti nimic..decat unul da las ca baeti de la av in max 2 zile se ocupa ei:)Multi-Engine Antivirus Scanner - Services - NoVirusThanks.orgLE ce ciudat look at http://www.rp-legal.ro/cred ca e criptat cu themida ca mi suna cunoscut Crafted.Win32File.OLS Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 3, 2010 Author Report Share Posted January 3, 2010 Si pan' la urma ce face?Keylogger? Quote Link to comment Share on other sites More sharing options...
CyberWolf08 Posted January 3, 2010 Report Share Posted January 3, 2010 Anubis: Analyzing Unknown Binariesse pune la startup, schimba homepage-u de la IE, plus ca pare ca mai e si stealer Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 3, 2010 Report Share Posted January 3, 2010 (edited) Programul e cryptat cu un stub facut in VB6. Cred ca encryptia e Rijndael. De asemenea cred ca are si EOF Data encryptata.Se pune la StartUp, da disable la Task Manager, la CMD si la firewall.Stub-ul cel putin, cred ca a fost facut de un neamt pe nume David.Mai multe detalii dupa ce imi bag XP pe VirtualBox. Edited January 3, 2010 by Nytro Quote Link to comment Share on other sites More sharing options...
MisterAndu Posted January 3, 2010 Report Share Posted January 3, 2010 Detalii suplimentare dupa analiza:Summary: - Autostart capabilities: This executable registers processes to be executed at system start.This could result in unwanted actions to be performed automatically.- Creates files in the Windows system directory:Malware often keepscopies of itself in the Windows directory to stayundetected by users.- Performs File Modification and Destruction:The executable modifiesand destructs files which are not temporary.- Spawns Processes:The executable produces processes during the execution.- Performs Registry Activities:The executable reads and modifies registry values. It also creates andmonitors registry keys.Pe romaneste daca nu prea le ai cu pc-urile si ai descarcat update-ul si ai intrat in el ai cam belit-o.Posibila solutie: sterge acel cod aparut la categoria "Citate Preferate" si da salvare profil.Daca nu merge din prima fa asta inca odata pana nu mai apare codul acela la "Citate preferate", eventual dupa ce stergi codul pune tu un citat ca sa inlocuiesti acel cod, si salveaza.O sa revin cu detalii daca mai gasesc ceva.Ym Id: mister.andu Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 3, 2010 Report Share Posted January 3, 2010 Test hi5update.exeSe copiaza in: Windows/system32/winlog.exeStartUp: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonTrimite date catre: 188.27.212.206 ( Romania , Bucuresti, RDS ) - XAMPPPosibil ca datele sa fie salvate in: http://188.27.212.206/log.txtDatele sunt trimise cryptat ( cred ).Scan simplu ( nmap ):PORT STATE SERVICE25/tcp filtered smtp80/tcp open http135/tcp filtered msrpc139/tcp filtered netbios-ssn443/tcp open https445/tcp filtered microsoft-dsInca nu stiu exact ce vrea sa faca, cred ca este stealer, a "cautat" prin Temporary Internet Files si alte foldere gen Cookies de la Internet Explorer. Probabil doar IE pentru ca nu am si Mozilla sau altceva. Revin cu mai multe detalii dupa ce studiez logurile. Pentru a scapa de el stergeti-l din system32 si scoteti-l de la startup. Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 3, 2010 Author Report Share Posted January 3, 2010 Romanii nostri.Si la RDS:)) Quote Link to comment Share on other sites More sharing options...
SirGod Posted January 3, 2010 Report Share Posted January 3, 2010 M-am uitat prin .pcap-ul de la anubis sa vad traficul facut.Are IP dinamic.Si foloseste zapto.org.C:\Documents and Settings\SirGod>ping 3728.zapto.orgPinging 3728.zapto.org [188.27.212.206] with 32 bytes of data:Request timed out.Si mai are si pe no-ip.com.Aici e IP de US.C:\Documents and Settings\SirGod>ping nf1.no-ip.comPinging nf1.no-ip.com [204.16.252.8] with 32 bytes of data:Request timed out.Daca cineva e dispus sa il testeze si sa captureze traficul facut,poate si posteaza fisierul pcap. Quote Link to comment Share on other sites More sharing options...
sonyx Posted January 3, 2010 Report Share Posted January 3, 2010 am trimis mail la hostingu care gazduia site-u si l-au suspendat Quote Link to comment Share on other sites More sharing options...
Moderators Dragos Posted January 3, 2010 Moderators Report Share Posted January 3, 2010 Am o prietena care a avut virusul asta.Se trimite prin comment-uri pe profil si la poze. Ca sa scapati de chestia cu download hi5update.exe, stergeti ultimele comment-uri si gata. Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 3, 2010 Author Report Share Posted January 3, 2010 Nytro,tu l-ai rulat in VirtualBox pe windows? Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 3, 2010 Report Share Posted January 3, 2010 Da, XP SP3 pe VirtualBox. Nu am rulat in Sandboxie sau altceva pentru ca nu se poate fura nimic de acolo. Instalez Mozilla, si ma uit daca fura parolele de Mozilla. Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 3, 2010 Author Report Share Posted January 3, 2010 Posibil,daca e keylogger s-ar putea sa trimita tot.Ala nu a folosit proxy,cam cati or fi cazut in plasa. Quote Link to comment Share on other sites More sharing options...
Luci Posted January 3, 2010 Report Share Posted January 3, 2010 Nu cred ca au cazut prea multi, pentru ca unii nu il iau in seama si ii dau renunta directacum a schimbat: brazi-craciun.ro Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 3, 2010 Report Share Posted January 3, 2010 (edited) Are 217kb, celalalt avea 60. Sa vad diferente... Pentru inceput:E cryptat cu Polifemo Ebrio Crypter. Encryptia cred ca e RC4. Crypterul e scris tot in Visual Basic 6.Noul IP e: 79.117.73.154 ( Romania, Constanta, RDS ) - 3728.zapto.orgSi mai e unul de SUA: nf4-no-ip.com ( 69.65.5.122 ) - Dar nu imi dau seama ce legatura are.Se copiaza in : Windows/system32/boot.exeCa sa scapati de el stergeti boot.exe din C:\Windows\system32Se pune la startup la: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Font Edited January 3, 2010 by Nytro Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted January 3, 2010 Author Report Share Posted January 3, 2010 o mai fi adaugat ceva la el... Quote Link to comment Share on other sites More sharing options...
TheBes7 Posted January 3, 2010 Report Share Posted January 3, 2010 acuma vine de la brazi-craciun.sa ia suspend si la asta? Quote Link to comment Share on other sites More sharing options...
BAStuson Posted January 3, 2010 Report Share Posted January 3, 2010 si eu lam vazut ieri pe destul de multe hi5uri Quote Link to comment Share on other sites More sharing options...
TheBes7 Posted January 3, 2010 Report Share Posted January 3, 2010 acuma cred ca e sub forma de iframe pentru ca apare sus ca un pop-up ( cum imi aparea mie deobicei la iframe-uri ) si ptr ca scrie acolo in bara " Se asteapta date de la .....bravenet.com si t35.com ) Quote Link to comment Share on other sites More sharing options...
HackKing Posted January 3, 2010 Report Share Posted January 3, 2010 acuma cred ca e sub forma de iframe pentru ca apare sus ca un pop-up ( cum imi aparea mie deobicei la iframe-uri ) si ptr ca scrie acolo in bara " Se asteapta date de la .....bravenet.com si t35.com )Nici macar nu mai arata profilurile in totalitate Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted January 4, 2010 Report Share Posted January 4, 2010 http://rstcenter.com/forum/19030-hi5-worm-noobs-stealth-method.rst Quote Link to comment Share on other sites More sharing options...