Dangerous trojans on the loose

New gromozom domain : aagxgbdlztw.com

 

Hello

I was hoping to get some input from the Antivirus guys on the Gromozon Battle and started a thread in the antivirus section here https://www.wilderssecurity.com/showthread.php?t=150802

It's been closed so could anyone here comment on how effectively AV's are dealing with this infection.

Thanks.

 

I found this thread from dslreports forum. Wha I would ask to you expert is a question that I found interesting - if I'm wrong please correct me, I don't understand italian so what I've read could be wrong.

FIRST VERSION OF GROMOZON
- Italian antivirus VirIT tries to detect it
- Prevx1 detects it and Prevx release removal tool
- The Avenger can delete rootkit
- GMER can detect rootkit

SECOND VERSION OF GROMOZON
- VirIT updated
- Prevx removal tool still fully working
- Symantec FixLinkOptimizer removal tool
- Still The Avenger
- Still GMER

THIRD VERSION OF GROMOZON
- Rootkit block these websites (from Symantec writeup)

and block these applications to run:

ACTUALLY GROMOZON VERSION
- Prevx updated removal tool and actually can remove rootkit
- VirIT updated signatures and can detect and remove rootkit
- other tools are still blocked

Now the question is that only Prevx and VirIT could manage and fix Gromozon since the beginning. It doesn't sound strange that VirIT is the only tool that was never blocked by the rootkit and his company's website was never blocked?

Maybe I'm wrong because I translated a lot of italian posts using Google translator. Could someone explain me better?

However, congrats to everyone that wrote in this thread, you all are really superb.

 

Thanks to anybody who took efforts to find the new domains. I can confirm they are up and running gromozon infections.

So far:

aagxgbdlztw.com
cvoesdjd.com
e-46.com
fgvmwyfstd8.com
ghr5rudiys.com
gromozon.com
idkqzshcjxr.com
js.gbeb.cc
js.pceb.cc
lah3bum9.com
mioctad.com
mufxggfi.com
ou2dkuz71t.com
ozkkmkdk.com
td8eau9td.com
uv97vqm3.com
wlos.net
xearl.com
xoboe.com

Please put all these in your block lists. The aforementioned can be put in your hosts file like this:

Code:

127.0.0.1       aagxgbdlztw.com
127.0.0.1       cvoesdjd.com
127.0.0.1       e-46.com
127.0.0.1       fgvmwyfstd8.com
127.0.0.1       ghr5rudiys.com
127.0.0.1       gromozon.com
127.0.0.1       idkqzshcjxr.com
127.0.0.1       js.gbeb.cc
127.0.0.1       js.pceb.cc
127.0.0.1       lah3bum9.com
127.0.0.1       mioctad.com
127.0.0.1       mufxggfi.com
127.0.0.1       ou2dkuz71t.com
127.0.0.1       ozkkmkdk.com
127.0.0.1       td8eau9td.com
127.0.0.1       uv97vqm3.com
127.0.0.1       wlos.net
127.0.0.1       xearl.com
127.0.0.1       xoboe.com

 

Is it just me or have these sites been shut down?

 

Nope, they're up. I had problems reaching them earlier, but now they're alive and well. And by the way, their latest trojans are, as usual, undetected by most AV vendors (in fact, currently only NOD32 seems to detect the new ones). Just awful.

 

Symantec have a new article on the gromozon threats http://www.symantec.com/enterprise/...g/2006/10/gromozon_reloaded_everything_t.html

 

After having quietly following this thread when I first met Gromozon on the last of July ... I can add, being from Italy and fully understanding italian language, that I share your question.

This is an "italian affair" and seems a solution borned before a problem.

Regards, Alea.

 

Although I don't have any proof or anything like that, I really doubt a security company like VirIt that was never involved in any type of illegal activities would go so far as to create (or help create) something this nasty and this complex just to "appear good". VirIt might not be the "best" AV in the world, but I never saw any reports of them being a scam.

It is not my business to defend VirIt (I don't even know much about them), but unless you have some proof I think you should definitely refrain from accusing them of being involved in this scam in any way.

 

New site: rolahujkzq.com. Please note that this site uses new (and from what I've seen, scary) techniques as well.

For your hosts file:

Code:

127.0.0.1       aagxgbdlztw.com
127.0.0.1       cvoesdjd.com
127.0.0.1       e-46.com
127.0.0.1       fgvmwyfstd8.com
127.0.0.1       ghr5rudiys.com
127.0.0.1       gromozon.com
127.0.0.1       idkqzshcjxr.com
127.0.0.1       js.gbeb.cc
127.0.0.1       js.pceb.cc
127.0.0.1       lah3bum9.com
127.0.0.1       mioctad.com
127.0.0.1       mufxggfi.com
127.0.0.1       ou2dkuz71t.com
127.0.0.1       ozkkmkdk.com
127.0.0.1       rolahujkzq.com
127.0.0.1       td8eau9td.com
127.0.0.1       uv97vqm3.com
127.0.0.1       wlos.net
127.0.0.1       xearl.com
127.0.0.1       xoboe.com

 

Another one: guerdonde.com.

For you hosts file:

Code:

127.0.0.1       aagxgbdlztw.com
127.0.0.1       cvoesdjd.com
127.0.0.1       e-46.com
127.0.0.1       fgvmwyfstd8.com
127.0.0.1       ghr5rudiys.com
127.0.0.1       gromozon.com
127.0.0.1       guerdonde.com
127.0.0.1       idkqzshcjxr.com
127.0.0.1       js.gbeb.cc
127.0.0.1       js.pceb.cc
127.0.0.1       lah3bum9.com
127.0.0.1       mioctad.com
127.0.0.1       mufxggfi.com
127.0.0.1       ou2dkuz71t.com
127.0.0.1       ozkkmkdk.com
127.0.0.1       rolahujkzq.com
127.0.0.1       td8eau9td.com
127.0.0.1       uv97vqm3.com
127.0.0.1       wlos.net
127.0.0.1       xearl.com
127.0.0.1       xoboe.com

 

Sorry for stupid question, exposing ignorance again::
Could I just check with you about the correct way to add these to hosts file?
eg My hosts file lists has no spaces between IP and domain name.

And the correct way to add to block lists: which block lists are you talking of:
Spyware blaster? Spybot? IE restricted zones?
If FF is default, afaik there is no block lists?

If hosts file updated do the block lists need to be updated.?

Thanks

 

Hoster is a great free tool to edit the hosts file. It's designed to make changes easy.

Info:
http://www.funkytoad.com/content/view/13/31/

Program:
http://www.funkytoad.com/download/hoster.zip

If these are added to your firewall block list, you shouldn't have any problem.
195.225.176.0/22
85.255.112.0/19
66.230.175.0/24

 

Two more: rac5kymzk6u.com, hk1eyenfzjd7.com

For the hosts file:

Code:

127.0.0.1       aagxgbdlztw.com
127.0.0.1       cvoesdjd.com
127.0.0.1       e-46.com
127.0.0.1       fgvmwyfstd8.com
127.0.0.1       ghr5rudiys.com
127.0.0.1       gromozon.com
127.0.0.1       guerdonde.com
127.0.0.1       hk1eyenfzjd7.com
127.0.0.1       idkqzshcjxr.com
127.0.0.1       js.gbeb.cc
127.0.0.1       js.pceb.cc
127.0.0.1       lah3bum9.com
127.0.0.1       mioctad.com
127.0.0.1       mufxggfi.com
127.0.0.1       ou2dkuz71t.com
127.0.0.1       ozkkmkdk.com
127.0.0.1       rac5kymzk6u.com
127.0.0.1       rolahujkzq.com
127.0.0.1       td8eau9td.com
127.0.0.1       uv97vqm3.com
127.0.0.1       wlos.net
127.0.0.1       xearl.com
127.0.0.1       xoboe.com

By the way, as SirMalware said, blocking these through the firewall is a better solution overall:
195.225.176.0/22
85.255.112.0/19
66.230.175.0/24

 

hk1eyenfzjd7.com

Code:

<ip address/hostname>
[b]67.15.35.238
hk1eyenfzjd7.com[/b]
Host reachable, 279 ms. average

<net block>
67.15.35.0 - 67.15.35.255

<owner>
Optical Jungle
14781 Memorial Dr. Suite # 792
Houston
TX
77079
United States

<technical contact>
Turakhia, Divyank
+1-832-615-1680
abuse@opticaljungle.com

<additional data>
EVRY-206
Created: 2004-03-31
Updated: 2004-03-31
Source: whois.arin.net 

Block 67.15.35.0/24
I think they're lurking on this thread.

 

I would say they are keeping an eye on many threads, even perhaps, on less public forums. To have invested so much time/effort to create this infection, and upkeeping it, it makes sense.

 

New site: ycvcp1ege8.com @ 195.225.177.203

I've just been infected by this little begger. Thanks to everyone who's put the effort in here to provide detailed information about what it is and what to do. Keep up the good work.

 

Would you mind in the future also listing the IPs in ranges as well?
Thanks.

 

New site: yqrugkkjqgh.com @ 195.225.177.204
New site: cfvfrfjwarc.com @ 195.225.177.204

 

Here ya go.
195.225.176.0 - 195.225.179.255
85.255.112.0 - 85.255.127.255
66.230.175.0 - 66.230.175.255
67.15.35.0 - 67.15.35.255

 

New site : rrsmcoooz.com @ 195.225.177.123

 

Little demo here: http://www.gmer.net/gromozon.wmv - Gromozon in action .

 

Gmer was blocked by gromozon form working on the machine I just tested. So were Icesword and Symantec's removal tool. F-Secure blacklight didn't even find anything wrong on a heavily infected machine. The only one that seems to work is PrevX's tool. Wilders was blocked, Marco Giuliani's site was blocked, Symantec's link to the removal tool was blocked, VirIt site was blocked, etc. What a horrible thing this malware is.

 

Well, not only blocking, they started playin another game too

http://www.pcalsicuro.com/main/2006/11/gromozon-ora-va-sul-personale/

 

I can vouch for this. TNT, try RkUnhooker here.