CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 934
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[MIRT#1947] Trojan-Downloader on home.doramail.com AS2828

 
Post new topic   Reply to topic       All -> FavForums -> MIRT Reports [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5741

MIRT Premium

PostPosted: Mon Feb 25, 2008 6:38 pm    Post subject: [MIRT#1947] Trojan-Downloader on home.doramail.com AS2828
Reply with quote

Malware Alert
 
 Full Report: CastleCops Link/Trojan_Downloader_malware1947.html
 
 Changed status to confirmed malware.IP Converted: 208.36.123.99

dword = 3492051811
hex1 = 0xd0247b63
hex2 = 0xd0.0x24.0x7b.0x63
oct = 0320.044.0173.0143
PRIVE.EXE at this location is malware known as TrojanDownloader:Win32/Small.gen!Z (Microsoft).View CIDR AS2828 Report: http://www.cidr-report.org/cgi-bin/as-report?as=2828

"2828 | US | arin | 2001-12-19 | XO-AS15 - XO Communications"<br />
Extended information for AS2828:
State/Province: va
Country: us
Responsible Domain: xo.com
Abuse Email: abuse@algx.net

Quote:
http://home.doramail.com/prive2007/PRIVE.EXE

Back to top
View users profile Send private message
maliciousbrains

Sergeant
Sergeant
Premium Member

Joined: Feb 23, 2008
Posts: 101

Premium

PostPosted: Mon Feb 25, 2008 6:59 pm    Post subject: Downloader.Bancos
Reply with quote

Symantec antivirus detects the file as Downloader.Bancos. It is used when detecting many individual but varied downloaders of the Infostealer.Bancos Trojan, for which specific definitions have not been created.

The Trojan typically attempts to connect to a network location through HTTP or FTP and download a copy of the Infostealer.Bancos Trojan to the compromised computer. The Trojan then executes it.

Scan for and delete the infected files:

Start your Symantec antivirus program and make sure that it is configured to scan all the files.
Run a full system scan.
If any files are detected, take note of the file names and click Delete.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


4. To clear the Temporary Internet Files folder, if required

Log on to the computer using the name that was shown in the path that you wrote down in during the scan and delete section.

For example, if the path was:

C:\Documents and Setting\user-xyz\Local Settings\Temporary Internet Files\qrwmqczd.dll

log on to the computer as user-xyz.

Start Internet Explorer.
Click Tools > Internet Options.
In the Temporary Internet Files section, click the Delete Files button.
Check Delete all offline content, and then click OK.

.:: Malicious Brains ::.
http://maliciousbrains.blogspot.com
Back to top
View users profile Send private message Visit posters website
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> MIRT Reports All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
170ppm 0.497s (0.094s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer