whazit.com

Discussion in 'other security issues & news' started by JacK, May 31, 2003.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    New malware

    Hello Patrick,

    I think this malware is not SPSD DB

    htt(p)://bins.whazit.com/trinsic/downloader.cab
    downloader.exe
    trying connecting to IP :
    63.246.129.130:80 et 66.111.59.70:80
    (Dossier) C:\WINDOWS
    (+)(Fichier) EFMCNFYU.dll = 14:25 30/05/03 28674 octets
    (+)(Fichier) msbb.exe = 14:25 30/05/03 163842 octets

    Files to suppress

    Modifications in Registry :
    (+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
    (+)(clé de registre) HKEY_LOCAL_MACHINE\Software\wms
    (+)(Valeur de registre) 404 = 'http://404.whazit.com'
    (+)(Valeur de registre) aff = '10001'
    (+)(Valeur de registre) b1 = 'C:\WINDOWS\EFMCNFYU.dll'
    (+)(Valeur de registre) default = 'http://home.whazit.com/'
    (+)(Valeur de registre) dns = 'http://dns.whazit.com'
    (+)(Valeur de registre) e1 = 'C:\WINDOWS\msbb.exe /did=316'
    (+)(Valeur de registre) gd = '77050'
    (+)(Valeur de registre) host = 'bins.whazit.com'
    (+)(Valeur de registre) r1 =
    '[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brow
    ser
    Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}]'
    (+)(Valeur de registre) start = 'http://home.whazit.com/'
    (+)(Valeur de registre) version = '1'
    (clé de registre) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
    Explorer\Main
    (*)(Valeur de registre) Default_Page_URL
    'http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome'==> 'http://home.whazit.com'
    (*)(Valeur de registre) Start Page

    'http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home'
    ==> 'http://home.whazit.com/'
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browse
    r
    Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}
    (clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Produ
    cts\9040020900063D11C8EF00054038389C\OSP_WebFolders
    (*)(Valeur de registre) Usage
    784207090 ==> 784207091
    (clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    (+)(Valeur de registre) msbb = 'C:\WINDOWS\MSBB.EXE'
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\msbb
    (+)(Valeur de registre) DisplayName = 'PAD Lookups by n-CASE'
    (+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
    /uninst_init=y '
    (+)(clé de registre)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nCASE
    (+)(Valeur de registre) DisplayName = 'Interstitial Ad Delivery by
    n-CASE'
    (+)(Valeur de registre) UninstallString = 'C:\WINDOWS\MSBB.EXE
    /disable_ads_init=y'
    (+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions
    (+)(clé de registre) HKEY_USERS\.DEFAULT\Software\180solutions\msbb
    (+)(Valeur de registre) did = '316'
    (+)(Valeur de registre) duid = ''
    (+)(Valeur de registre) int_high = '29493205'
    (+)(Valeur de registre) int_low = '602176320'
    (+)(Valeur de registre) key_int_high = '29493205'
    (+)(Valeur de registre) key_int_low = '602776320'
    (+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions
    (+)(clé de registre) HKEY_CURRENT_USER\Software\180solutions\msbb
    (+)(Valeur de registre) did = '316'
    (+)(Valeur de registre) duid = ''
    (+)(Valeur de registre) int_high = '29493205'
    (+)(Valeur de registre) int_low = '602176320'
    (+)(Valeur de registre) key_int_high = '29493205'
    (+)(Valeur de registre) key_int_low = '602776320'

    Rgds,

    JacK
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi JacK,

    http://www.spywareinfoforum.com/forums/index.php?s=75b3168f1a9b1a4eb9b20d40693b4f6e&act=ST&f=24&t=6022&st=0&#entry46576

    Regards,

    Pieter
     
  3. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Here's the link on how to remove it completely:

    http://www.spywareinfoforum.com/articles/whazit/

    Many regards, Jade.

    Sorry Pieter, didn't see the link on the url you posted :oops:.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No problem, Bowserman.
    Your link is better. :)

    Regards,

    Pieter
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Tnx for the links.

    Rgds
     
Thread Status:
Not open for further replies.