CastleCops® google redirect malware

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

google redirect malware

All -> FavForums -> MIRT Discussion

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Mar 14, 2008 3:35 pm Post subject: google redirect malware

http://www.google.com/pagead/iclk?sa=l&ai=sFaZWG&num=680384&adurl=http://logistixmedia.com/images/video/video_int.php?955765 _ _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Mar 14, 2008 3:36 pm Post subject:

from: /PIRT_Report_phish760363.html _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

MAPKOBKA

Lieutenant

Premium Member

Joined: Jul 04, 2007
Posts: 163

Posted: Fri Mar 14, 2008 3:52 pm Post subject:

Pretty well detected already:

http://www.virustotal.com/analisis/7ebeafc022ccb10e4fb4b9118a5d8be1

Attempts TCP connections to a server
Location: Germany [City: Berlin, Berlin]

Registers itself as a service to autorun at startup.

CbEvtSvc SERVICE_AUTO_START %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs

Filename: CbEvtSvc.exe
MD5: 60bf4847f62b8ff7f028158780d8fa32
SHA-1: cb0147f34d305707009f04deab9ae341ec8a5238
File Size: 62976 Bytes
Command Line: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

Attempting to manually initiate a connection to the remote server as expected gives us some irc related messages.

Code:

:psychotic-irc.net NOTICE AUTH :*** Looking up your hostname...
:psychotic-irc.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:psychotic-irc.net 451 GET :You have not registered
:psychotic-irc.net 451 Host: :You have not registered
:psychotic-irc.net 451 User-Agent: :You have not registered
:psychotic-irc.net 451 Accept-Encoding: :You have not registered
ERROR :Closing Link: [89.241.xxx.xx] (Ping timeout)

_________________
Kaspersky Lab Forum Moderator
KL Cert PSP
Virusinfo.info External Specialist
Alliance of Security Analysis Professionals Member
http://malwarecrawler.com - honeypot@malwarecrawler.com

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5869

Posted: Fri Mar 14, 2008 5:06 pm Post subject:

MIRT abuse report - /p1065858-MIRT_8901_Trojan_Downloader_on_logistixmedia_com_AS8560.html _________________ Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender. Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

	All -> FavForums -> MIRT Discussion	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 119ppm 0.206s (0.038s) Making cybercriminals unhappy since 2002*