Yahoo trojans(Magic_PS_1.5)

Discussion in 'malware problems & news' started by DemetriusCrisco, Feb 8, 2004.

Thread Status:
Not open for further replies.
  1. DemetriusCrisco

    DemetriusCrisco Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    4
    OK.....we all know that trojan and keyloggers are a pain in the a$$...well the trojan that I am going to talk about is called Magic_PS_1.5,Well.....1st we are going to look and see if your infected with it...(If you dont use Yahoo messenger then you probally arent infected with it.)

    Ok the 1st thing you need to do is press ctrl+alt+del(control+alt+delete) if it says "Task mamager has been disabled by the administrator" and you are the administrator you are probally infected.
    2nd. If you goto start---->run---->regedit and press enter and it says "Regedit has been disabled by the administrator" and you are the administrator then you are probally infected.
    3rd and finally ...log on to yahoo messenger and see if a small window opens and closes to fast for you to read what it says...then you are surely infected..

    ~removal~

    Ok....most anti-virus's wont catch this trojan...if you open it up it may look like a regular program because it has an option to where you can bind it to another program.(when you open it it will open a pic,program,anything the person who sent it to you want it to appear to look like he sent you) The reason why it is like this is because the person who sent it to you dosent even want you know that you have opened a trojan......
    This trojan when opened actually copies itself in 3 diffrent places in your computer,and it isnt in yahoo,its in your startup folder...

    The best way to get rid of it is to follow these steps:

    ***ok since it starts up on start-up.....all we have to do to get rid of it is...***

    1. Click Start.
    2.Click Run.
    3.Type Msconfig.
    4.Click on the Start-up tab.
    5.Find the startup item.
    6.Un check the box beside it.
    7.Change your Yahoo password.
    8.Your all done!

    Please post your questions or comments by clicking the "reply" button........If this has helped you at all please let me know!

    *** Written by:***
    Demetrius Crisco
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Demetrius,

    Thanks for the efforts for anyone who encounters this trojan. If you have a sample please check it with TDS-3 or submit it to submit@diamondcs.com.au ? I remember this ones name and have quite a few versions
     
  3. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    All you have done this way is preventing the trojan to start on windows startup. You still have to remove some files.
     
  4. DemetriusCrisco

    DemetriusCrisco Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    4
    True.....But...If you can just make it not startup then you wont even have to worry about removing it...But yea I should post how to get it off.....but I would then have to infect myself with it again and see how to do it again.....The next post I make will be how to get it off !
     
  5. DemetriusCrisco

    DemetriusCrisco Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    4
    Magic-PS is a key logger that only affects Yahoo Messenger users. It's purpose it to log and send the user's password to another Yahoo Chat member through a private message sent by the victim's Yahoo Messenger. It disables Yahoo Messenger's Save Password feature, so you are required to type in the password. Signs of infection include a fast Yahoo Messenger private message window that opens and closes uplon login.

    Removel:
    Please note that the removal of Magic PS differs depending on the options the attacker choose: Disable Taskmgr xp-2k, Disable regedit, and Disable Msconfig. I will try to cover everything.

    Step 1- Look for suspicious processes
    Magic PS has a default filename list that users can choose from within the program that generates the key logger.

    regsvr.exe spool_32.exe spool_32.exe svchost .exe
    winzip_32.exe MsTask .exe winzip_try.exe spoolsvr.exe
    ExpIorer.exe taskmgr_32.exe system_32.exe intranet.exe
    norton.exe regclean.exe starter .exe iexpIore.exe
    regscan_32.exe osa .exe

    Note that these are just the default names. The user can choose any filename he wants. In this case, you will have to rely on other means of detecting it. If your Task Manager is enabled, look for a process that is running under your Windows user account that is using about 3,416k in memory. This alone doesn't mean it is Magic PS, however.

    To make sure the suspected process is in fact Magic PS, you should run a memory editor on the process. I suggest WinHack 2 (Admin note - We had to remove this link as it pointed to a site that can not be linked from Wilders, per our TOS. People wanting to follow the advice in this post will have to find a process dump / viewer tool on their own to do so. Please use caution looking for such tools. Malware may very well be contained in kits promising to be that type of tool. LWM) Extract the contents of winhack2.zip and open WinHack2.exe. Under the Edit a Game's Memory tab, you will see a Process drop down box with currently running processes. Choose the process that took about 3,416k in memory and click on the Edit Memory tab. You will see a search box, enter: magic-ps. If found, this is the right process. Close it with Task Manager, if enabled. If the Task Manager is disabled, you will have to use a third-party process viewer/terminator. You can download one at http://www.nesoft.org/terminator/term.exe. N... that you need to close the process before you can delete Magic PS.

    Step 2- Removing Magic PS
    After the Magic PS process is closed, click on the Start Menu, go to Search, and click on For Files and Folders. Click on the All files and folders button. Enter "Magic_w" without the quotes in the A word or phrase in the file text box and click search. Delete all entries.

    Step 3- Fixing taskmanager, regedit, and msconfig
    http://is-it-true.org/nt/xp/registry/rtips23.shtml

    Thanks Sapient For all the help!


    ***Demetrius Crisco***
     
  6. <snipped, keep it friendly - Pieter> that's not how the Magic PW stealer works. It simply reads two registry strings like this

    Dim gpwrd As New YCrypto
    Set gpwrd = New YCrypto
    Dim username As String
    gpwrd2 = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\EOptions String")
    username = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID")
    gpwrd.Init 1, 0, username
    Text2.Text = gpwrd2
    Text1.Text = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID")

    it decrypts them using a user control and sends them back to the author of the "fake booter" most likely, this is not a harmful program, I wouldnt worry about it. It is mainly used by lamers on yahoo who steal Illegal Yahoo accounts. You know, those accounts on yahoo you cannot make anymore "_____godess______" , "gode$$" etc.....

    but thats how it works, thats actually code from it :>
     
  7. hoang

    hoang Guest

    How can i get this Trojan ? I want to have it
    Thanks alot
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Have a look at our TOS - unless contacts you in private, such an info will not be revealed/allowed over here ;)

    regards.

    paul
     
  9. minhhoang

    minhhoang Guest

    I didn't have password. How can i get it ?
    Anyone can help me
    Thanks alot
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No use in using different guest names here - you will not get it publicly on this board - period.

    regards.

    paul
     
  11. bedspacer

    bedspacer Guest

    i have been infected by this annoying password stealer trojan. I am bit illiterate so can someone try to help me on how to get rid of this in laymans terms. By following the steps in here (THANKS A LOT GUYS) i can now use ctrl alt delete but i think i am still infected. I cannot find the magic_w in the search so i probably still have it. please contact me to help me out please. The hacker has gone through my email and is blackmailing me. HELP PLS. PS..my computer is close to be real crazy as all of my documents has turned into dll. Can someone help me with that too? or these are all connected to each other?
     
  12. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi bedspacer :)

    Welcome to Wilders.

    It is policy to register as a member first before u do the following,

    Please follow the instructions here,

    https://www.wilderssecurity.com/showthread.php?t=15913

    then post your HijackThis log in the hijack cleaning forums with a full description of your problem and one of the experts will give u recommendations on any Malware found.

    I repeat, u must register first before u can post in the hijack cleaning forum.


    snowbound
     
  13. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
    I have exactly the same symptoms as demetrius mentioned. Tried to locate winhack2.exe but are afraid that I might get malware instead (there's quite a few download sites for this prog).

    I can re-enable taskmgr and kill the suspected process basing on the 3416k process (svchost.exe). I've done a search for the string magic_w on find files but it reports no files found.

    Any thoughts?
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS-3 should detect it, if nothing is detected with the latest databases email support and I will help you find and kill it :)
     
  15. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
Loading...
Thread Status:
Not open for further replies.