Dangerous trojans on the loose

While that would be a good question in a proper thread....Feel free to visit our anti-malware forum for numerous threads concerning that software. We'd like to keep this thread on topic concerning this ongoing malware find.

Thanks,
Bubba

 

@TNT, sorry for butting in,this is sadly a great thread
May I ask:
Do you have a compiled list of the sites to block to add to Hosts/Spywareblaster (if not already in the MVPS hosts file)?

@Bubba, there is some info circulating around that you are probably aware of that SAS is currently onr of the best options for removing these gromozon variants. I dont have this app but they seem to be updating faster than anybody else. They seem to have acouple of very helpful harvesters.

It (SAS) will probably be added to the blocked utilities that these nasties are blocking.
So far it looks as though many of the first line uprooters are compromised
RKR
DS
IceSword
gmer
Blacklight
PrevX removal tool can be blocked but is being updated.
+ Some of the AV

PSc has posted elsewhere that they are keeping abreast.
BOC will probably be blocked soon too

No doubt this has been tried, but, newb query: what happens if the antimalware .exe is run as a different name?

Thx to TNT for keeping us up to date.

 

Yeah... not for the hosts file, but for the restricted zone in IE or for Squidguard (or for anything that automatically blocks subdomains for a given domain): https://www.wilderssecurity.com/showthread.php?t=149423

For the hosts file, you can block the (known) gromozon domains like said in my October 1st message above. Quite a few of these were not listed anywhere else. Be advised that the hosts file is useless when using a proxy.

 

TNT

All gone a bit quiet in here, and they are still very much active. I also noticed that your website hasn't been updating with news about it for a while. If you have any more info we'd love to hear about it.

I hope everythings ok with you ?


StevieO

 

Yeah, everything is ok, and I'm still very much following the gromozon stuff. I haven't posted in a while yeah... I will update about it soon. All I can say right now is that the people behind gromozon are still very much ahead of the people who're supposed to defend against it.

Apparently, not even the PrevX cleaner works anymore against it.

 

wait for one/two days We have been busy a lot during this time but we've a new tool that will be released

And, of course, virus writers are almost always a step ahead against us They can study our tools and can develop new attacks. We have to study the new attack immediately after they did it

 

Thank you for your wonderful tool, it has been a godsend. With this infection however (or any), I just wish that there was a way that we could keep the removal tools private. Sometimes I compare fighting malware with fighting a real war. Do you think the Generals would give away their strategies to the enemy? Does a football team in a huddle give away their plans to the opposing team? I know this may be an unfair comparison and sounding really silly, but the I feel that the current malware removal methods out there are way too public.

 

Hope this is on topic, I just visited a site that ended up with Firefox prompting me to download "www.award.com" from mufxggfi.com. I suspect award.com may be another variant of google.com.

Cheers,
Phred

 

We're working on it...

 

Let me know if you would like the url of the site with the "www.aware.com" download version.

Phred

 

Can you PM it to me please?

Regards,

Pieter

 

This thread is an example of the work real experts do,

Thank you TNT, EraserHW !!!!

 

Yes please Send me a pm

Kind regards

 

Yes please

 

Hi, I didn't know you were working on it too...

 

After a fresh coat of paint, mine has always worked.

 

New variants found today:

Same thing, on 2 different PCs. Infected with full gromozon. Administrator user, service pointing to encrypted file in c:\programmi\file comuni\system on the 1st pc, c:\programmi\file comuni\windows NT on the 2nd.

No antirootkit working at all, except for the F-secure blacklight beta2, which found a hidden service32.exe, removed after reboot. Gmer, IceSword, Bitdefender, rootkitrevealer, prevx remover killed on start.

After removal of service32.exe, user, service, encrypted exes, plus various files found on windows folder recognized as trojan.something by more-than-one antivirus, all antirootkit mentioned before continued to be killed.

1st strange thing: take a look to the processes listed in the task manager and the processes listed in the process viewer: notice the twice winlogon.exe and the logon.scr, both hidden in the task manager.

2ns strange thing: on the root (c:\) has appeared a "kill bill.mp3" file. Played in mediaplayer sounds as a piece of a kill bill song. Open in notepad, look at the strange lines at the bottom...

The comments at the service are written in italian. All this stuff seem to be coded in Italy, where I live. Most of the PC I have to repair in these days seem to be infected...

 

This is the mp3 in the notepad.

Other things, in these infections there are no ADS and/or reserved name files. In both pc filesystem is NTFS.

In both pcs, system restore was disabled. To run the blacklight I've had to give back administrators permission to SeDebugPrivilege...

 

service32.exe isn't Gromozon rootkit

http://www.pcalsicuro.com/main/?p=41

---

New gromozom domain: idkqzshcjxr.com

 

idkqzshcjxr.com is no longer.

Thanks,

Chris

 

The 'This site is closed' message is a fake.

Come on, we've they've been doing this for months now. It's very obviously still open and serving trojans. Just because it says "it's closed" on the main page it doesn't mean it is. This gang has been doing this for every single 'gromozon' site.

 

So then what should have happened on XP Pro running IE6 SP2? Anything?

Thanks,

Chris

 

Nothing happens on the "front" page. The malware-loading page is always another one (and IE6 SP2 is attacked BADLY).

 

We released an update of our tool. We took a lot of time because we're working on new and better techniques to detect and remove future versions of gromozon and other malware, reducing response time and increasing detections and cleaning features.

We tried to apply some kind of protection to prevent future gromozon versions to block our tool. Actually we had some troubles to find a way to distribute our tool, so we decided to use an "innovative" way: peer 2 peer.

Here you find a link to .torrent file. So it should be more difficult to block now.

Furthermore, you can still download it through normal way, downloading it from PREVX or PCALSICURO websites.

Actually we strongly suggest to scan your pc with Prevx1 after Prevx Removal tool scanned and removed rootkit, because with Prevx1 we can manage more easily older and newer versions of this malware.

 

FAO off anyone tracking new variants & testing.

Any info appreciated

Its probaly a quirk my end but when was the last time that a new emerging variant when tested imported the rootkit/fake service & account ?

I know by experience that its not a sure thing but have now gone sometime without bagging that part of the infection.

TIA