CLSID's for the sKyWIper infection

Discussion in 'SpywareBlaster & Other Forum' started by CloneRanger, May 29, 2012.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Be nice if someone could provide them for the following OCX's to manually include in SB:thumb:

    advnetcfg.ocx - bb5441af1e1741fca600e9c433cb1550
    msglu32.ocx - d53b39fb50841ff163f6e9cfd8b52c2e
    mssecmgr.ocx - bdc9e04388bda8527b398a8c34667e18
    nteps32.ocx - c9e00c9d94d1a790d5923b050b0bd741
    soapr32.ocx - 296e04abb00ea5f18ba021c34e486746

    And others that appear :thumb:
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    cloneranger, adding activex-killbits for the activex controls that are used by "skywiper" is a good idea.. however, as far as the two CLSID's that you associated with "skywiper", first, the two CLSID's that you listed actually are the same CLSID, so you actually only have one CLSID listed.. second, the CLSID that you cited appears to be a legitimate CLSID that shouldn't be blocked..

    here is what google pulled up for the CLSID:

    http://www.google.com/search?num=20&hl=en&safe=off&complete=0&site=webhp&source=hp&q={6994AD04-93EF-11D0-A3CC-00A0C9223196}&btnG=Search
     
    Last edited: Jun 1, 2012
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ redwolfe_98

    Thanks :)

    Oops, my bad so it is ! Thanks :thumb:

    In the - http://blog.fireeye - link i posted, it says this,

    So as it's a ReactOS .DRV i wouldn't have expected many people, if at all, to have it. In which case my thinking was, blocking it via the CLSID trick wouldn't be a problem ! If this isn't the case ? i'm sorry for any inconvenience. Just thought these CLSID's tricks "might" help. Anyway, if the CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196) "is" a no go, the CLSID's for other ActiveX controls, if obtainable, would block the nasties, i'm sure.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    nope.. that CLSID, too, is legitimate and shouldn't be blocked..

    i did a google-search for "{0AFACED1-E828-11D1-9187-B532F1E9575D}" and pulled up some information about it:

    http://www.google.com/search?num=20&hl=en&safe=off&complete=0&site=webhp&source=hp&q={0AFACED1-E828-11D1-9187-B532F1E9575D}&btnK=Google+Search

    i also searched my computer's "registry" and found a couple of instances of the CLSID.. (i am running windows xp)..

    sometimes, legitimate regkeys (or, in this case, a "CLSID") are associated with malware but are used for legitimate purposes, as well.. just because a regkey (or CLSID) was used by malware, that doesn't necessarily mean that the regkey, or CLSID, is malicious..
     
    Last edited: Jun 5, 2012
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ redwolfe_98

    Hi, ok thanks for the info :thumb: No other CLSID's appearing for this ? Anyway the danger is probably over now, as most Anti's detect it one way or another. Plus it's started to delete itself :D

    I guess it won't be the last we see of it though, in some form or another !
     
Thread Status:
Not open for further replies.