Re: New Trojan?Jun 29 2004 10:14PM ph03n1x (ph03n1x gmx net)
Re: New Trojan?Jun 29 2004 09:16PM Michael Painter (tvhawaii shaka com)
I'd try things without the Netgear box...or maybe try resetting/unplugging it?
--Michael
----- Original Message -----
From: "Jeff" <Jeff (at) Not_A_Real_Address (dot) com [email concealed]>
To: <security-basics (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 28, 2004 9:14 AM
Subject: New Trojan?
> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff
>
>
>
> ------------------------------------------------------------------------
---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
----
>
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
--Michael
----- Original Message -----
From: "Jeff" <Jeff (at) Not_A_Real_Address (dot) com [email concealed]>
To: <security-basics (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 28, 2004 9:14 AM
Subject: New Trojan?
> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff
>
>
>
> ------------------------------------------------------------------------
---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
----
>
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
[ reply ]