whazit.com

Discussion in 'other security issues & news' started by JacK, May 31, 2003.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    New malware

    Hello Patrick,

    I think this malware is not SPSD DB

    htt(p)://bins.whazit.com/trinsic/downloader.cab
    downloader.exe
    trying connecting to IP :
    63.246.129.130:80 et 66.111.59.70:80
    (Dossier) C:\WINDOWS
    (+)(Fichier) EFMCNFYU.dll = 14:25 30/05/03 28674 octets
    (+)(Fichier) msbb.exe = 14:25 30/05/03 163842 octets

    Files to suppress

    Modifications in Registry :
    (+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
    (+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
    (+)(Valeur de registre) 404 = 'http://404.whazit.com'
    (+)(Valeur de registre) aff = '10001'
    (+)(Valeur de registre) b1 = 'C:\WINDOWS\EFMCNFYU.dll'
    (+)(Valeur de registre) default = 'http://home.whazit.com/'
    (+)(Valeur de registre) dns = 'http://dns.whazit.com'
    (+)(Valeur de registre) e1 = 'C:\WINDOWS\msbb.exe /did=316'
    (+)(Valeur de registre) gd = '77050'
    (+)(Valeur de registre) host = 'bins.whazit.com'
    (+)(Valeur de registre) r1 =
    '[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brow
    ser
    Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}]'
    (+)(Valeur de registre) start = 'http://home.whazit.com/'
    (+)(Valeur de registre) version = '1'
    (clé de registre) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
    Explorer\Main
    (*)(Valeur de registre) Default_Page_URL
    'http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome'==> 'http://home.whazit.com'
    (*)(Valeur de registre) Start Page

    'http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home'
    ==> 'http://home.whazit.com/'
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browse
    r
    Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}
    (clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Produ
    cts\9040020900063D11C8EF00054038389C\OSP_WebFolders
    (*)(Valeur de registre) Usage
    784207090 ==> 784207091
    (clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    (+)(Valeur de registre) msbb = 'C:\WINDOWS\MSBB.EXE'
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\msbb
    (+)(Valeur de registre) DisplayName = 'PAD Lookups by n-CASE'
    (+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
    /uninst_init=y '
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
    (+)(Valeur de registre) DisplayName = 'Interstitial Ad Delivery by
    n-CASE'
    (+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
    /disable_ads_init=y'
    (+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions
    (+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions\msbb
    (+)(Valeur de registre) did = '316'
    (+)(Valeur de registre) duid = ''
    (+)(Valeur de registre) int_high = '29493205'
    (+)(Valeur de registre) int_low = '602176320'
    (+)(Valeur de registre) key_int_high = '29493205'
    (+)(Valeur de registre) key_int_low = '602776320'
    (+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions
    (+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions\msbb
    (+)(Valeur de registre) did = '316'
    (+)(Valeur de registre) duid = ''
    (+)(Valeur de registre) int_high = '29493205'
    (+)(Valeur de registre) int_low = '602176320'
    (+)(Valeur de registre) key_int_high = '29493205'
    (+)(Valeur de registre) key_int_low = '602776320'

    Rgds,

    JacK
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,433
    Location:
    Netherlands
    Hi JacK,

    http://www.spywareinfoforum.com/forums/index.php?s=75b3168f1a9b1a4eb9b20d40693b4f6e&act=ST&f=24&t=6022&st=0&#entry46576

    Regards,

    Pieter
     
  3. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Here's the link on how to remove it completely:

    http://www.spywareinfoforum.com/articles/whazit/

    Many regards, Jade.

    Sorry Pieter, didn't see the link on the url you posted :oops:.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,433
    Location:
    Netherlands
    No problem, Bowserman.
    Your link is better. :)

    Regards,

    Pieter
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Tnx for the links.

    Rgds
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.