Wilders blocked by "Gromozon" trojan

Discussion in 'malware problems & news' started by Longboard, Oct 28, 2006.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Last edited: Oct 28, 2006
  2. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Yes, it also blocks nearly every tool that has the capability to remove it from running and is invisible to Blacklight, Sophos AR and Rootkitrevealer. Re-naming (cos it blocks default filename) SuperAntispyware is one of the best ways I've found of removing it, although I don't know how well SAS deals with the newest variants.

    Londonbeat
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Apparently it exploits the WMF vulnerability to get into systems. So those who are careful enough and have taken the initiative to patch the WMF vulnerability should be safe from this nasty piece of malware.
     
  4. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Yeah SuperAntispyware is the only program that removed it for me!
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Prevx Gromozon Removal tool actually works and, if it can't be run, try to rename it (because of last rootkit version does a simplefile name check)

    Marco
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, it does NOT exploit only the WMF vulnerability AT ALL. It uses many different exploits, all targeting different vulnerabilities. Absolutely do NOT think this malware exploits only the WMF vulnerability; not only it uses various exploits, but they're also the fastest malware distributors I've seen including new exploits as soon as they're known.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    BTw I just wonder what benefit they get?
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Bunch of sick bastards. :mad:
    Maybe they are paid to write all this stuff.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ok, then why they are paid? Who get ultimate benefit and how?
    I can,t understand.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Well, you can label the people who wrote this malware as: Cyber Criminals.
    Cyber Crime. They can do it for almost any reason.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Most crimes are for money or some other benefit. So I just wonder what is the benefit here. After all it need work.
     
  12. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    As I recall, gromozon can install a dialler and the authors get a share of this very high cost telephone calls it makes.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    That makes sense.
     
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    These guys obviously well organized
    I suspect they are still testing.
    Dialers
    Fake antispyware
    Redirects

    Just bottom dwellers looking for the 0.01% to "click the dots"
    When the target is in the tens of millions, and regrettably due to the sophisticated level of these insertions there may never be a true summation of their effect, the gain in $ may be significant.

    Those who think they have NEVER been exposed to malware just did not recognise it.
     
  15. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    NIS/NAV 2007 can remove it pretty easily. :) Dont know about the older versions.
     
  16. EASTER.2010

    EASTER.2010 Guest

    Looks like they've read up well on our old nemesis CoolWebSearch who used to bamblast the internet with myriads of domains/redirects to stick it to the unwary and curious who then quickly went fleeing & screaming into the various HijackThis Forums pleading for freedom.

    With the introduction of rootkits and other new invisible means to hide in users systems via internet, they seem to be growing bolder as well as crafty.

    Ramp up the shields and keep the sentry's stationed 24/7/365 and steer clear of the KNOWN areas of danger. :eek:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.