Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Are these spyware???
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #5  
Old 12-09-2003, 04:48
Polaris's Avatar
Polaris Polaris is offline
Friend
  
Join Date: Feb 2002
Location: Invincible Cyclones Of FrostWinds
Posts: 97
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
Polaris Reputation: 0
Quote:
Originally posted by yaa
Polaris,

I also had seen the strings you are reporting ... in fact I tried seeing if those domains have web sites (they don't) .... on my machine as soon as those files where downloaded and I identified them I renamed them all and tried deleting them .... child.dll was locked so looking among the running processes I found 3 suspicious instances of rundll32. As soon as I killed them I was able to delete the dll.

What I don't understand is why this dll creates files on the "infected" machine's desktop ... it gives away its presence too easily.

Anyhow, all my compliments to Microsoft ... even having set medium or high levels of security on all areas (internet, local internet, trusted sites and restricted sites) in my browser and having applications that should further protect me from downloading unwanted binaries (popup blocker and spyware blaster) my great Microsoft browser downloaded what could have well been viruses.

This is not the first time I find dlls somehow downloaded on my machine by the browser and I think I have identified the exploit that is being used: if you brutally kill a browser instance terminating its process while there is an activex download request dialog box open the said activex GETS downloaded. This exploit is utilized on those sites where suddendly tens of browser windows get opened in a few seconds. That is why I got myself a popup blocker .... which is clearly not enough.

One other thing that surprised me is that I found no registry entries under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ or HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ keys ... these kinds of applications usually register themselves to be restarted at next machine boot.


yaa
yaa,

you are right... "Microsoft" and "security" are not words to be used together By the way, the purpose of the malware could be only revealed by full analisys.

I will full analize it, and then public a small tut... Also, it is the right chance to test my forthcoming INQUISITION v4.0

Byyezzz

Polaris
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spyware & Trojan softwares sinchee General Discussion 8 02-24-2005 07:04
urlmon.dll = spyware? Rhodium General Discussion 9 08-09-2004 00:09
Spyware: Stripper 2.07!? ferrari General Discussion 4 04-02-2004 19:17


All times are GMT +8. The time now is 20:41.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )