Hello,

New malware

Hello Patrick,

I think this malware is not SPSD DB

htt(p)://bins.whazit.com/trinsic/downloader.cab
downloader.exe
trying connecting to IP :
63.246.129.130:80 et 66.111.59.70:80
(Dossier) C:\WINDOWS
(+)(Fichier) EFMCNFYU.dll = 14:25 30/05/03 28674 octets
(+)(Fichier) msbb.exe = 14:25 30/05/03 163842 octets

Files to suppress

Modifications in Registry :
(+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
(+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
(+)(Valeur de registre) 404 = 'http://404.whazit.com'
(+)(Valeur de registre) aff = '10001'
(+)(Valeur de registre) b1 = 'C:\WINDOWS\EFMCNFYU.dll'
(+)(Valeur de registre) default = 'http://home.whazit.com/'
(+)(Valeur de registre) dns = 'http://dns.whazit.com'
(+)(Valeur de registre) e1 = 'C:\WINDOWS\msbb.exe /did=316'
(+)(Valeur de registre) gd = '77050'
(+)(Valeur de registre) host = 'bins.whazit.com'
(+)(Valeur de registre) r1 =
'[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brow
ser
Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}]'
(+)(Valeur de registre) start = 'http://home.whazit.com/'
(+)(Valeur de registre) version = '1'
(clé de registre) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main
(*)(Valeur de registre) Default_Page_URL
'http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome'==> 'http://home.whazit.com'
(*)(Valeur de registre) Start Page

'http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home'
==> 'http://home.whazit.com/'
(+)(clé de registre)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browse
r
Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}
(clé de registre)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Produ
cts\9040020900063D11C8EF00054038389C\OSP_WebFolders
(*)(Valeur de registre) Usage
784207090 ==> 784207091
(clé de registre)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(+)(Valeur de registre) msbb = 'C:\WINDOWS\MSBB.EXE'
(+)(clé de registre)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\msbb
(+)(Valeur de registre) DisplayName = 'PAD Lookups by n-CASE'
(+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
/uninst_init=y '
(+)(clé de registre)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
(+)(Valeur de registre) DisplayName = 'Interstitial Ad Delivery by
n-CASE'
(+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
/disable_ads_init=y'
(+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions
(+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions\msbb
(+)(Valeur de registre) did = '316'
(+)(Valeur de registre) duid = ''
(+)(Valeur de registre) int_high = '29493205'
(+)(Valeur de registre) int_low = '602176320'
(+)(Valeur de registre) key_int_high = '29493205'
(+)(Valeur de registre) key_int_low = '602776320'
(+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions
(+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions\msbb
(+)(Valeur de registre) did = '316'
(+)(Valeur de registre) duid = ''
(+)(Valeur de registre) int_high = '29493205'
(+)(Valeur de registre) int_low = '602176320'
(+)(Valeur de registre) key_int_high = '29493205'
(+)(Valeur de registre) key_int_low = '602776320'

Rgds,

JacK

Hi JacK,

http://www.spywareinfoforum.com/forums/index.php?s=75b3168f1a9b1a4eb9b20d40693b4f6e&act=ST&f=24&t=6022&st=0&#entry46576

Regards,

Pieter

Here's the link on how to remove it completely:

http://www.spywareinfoforum.com/articles/whazit/

Many regards, Jade.

Sorry Pieter, didn't see the link on the url you posted :-[.

No problem, Bowserman.
Your link is better. :)

Regards,

Pieter

Hello,

Tnx for the links.

Rgds