Virus??
- Thread starter greyhat
- Start date
Time Module Object Name Threat Action User Information
3/2/2010 10:28:28 AM IMON file http://elnkvdgtbui.com/nte/NOV.html...F002a000aJ11000601l0409K6f49334d30dP000201080
Win32/Adware.SpyProtector application quarantined - Connection terminated
3/2/2010 10:28:28 AM IMON file http://elnkvdgtbui.com/nte/NOV.html...F002a000aJ11000601l0409K6f49334d30dP000201080
Win32/Adware.SpyProtector application quarantined - Connection terminated
"Virus found HTML/Framer";"www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&";"";"02/03/2010, 15:24:19";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
AAHHHHHHH!!!
AAHHHHHHH!!!
Same here.
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?resize=1&zoneid=2"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?resize=1&zoneid=2"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?zoneid=6"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?resize=1&zoneid=2"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?resize=1&zoneid=2"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?n=a57d49b8&zoneid=1&"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
When accessing data from the URL, "http://www.wickedfire.com/openx/www/delivery/afr.php?zoneid=6"
a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus] was found.
Action taken: Blocked file
Ya, Norton gave me the same message, Mods, can you get rid of whatever is causing that, seems like a wide-open exploit.
Same here.
Same here
detected: Trojan program Trojan.Win32.FraudPack.anec file: http://elnkvdgtbui.com/nte/nov.php/eH9243dc7cV03008f35002R58de5cb3102Td9ce8e1eQ000002fa901801F002d000aJ0d000601l0409K787469403180
detected: Trojan program Trojan.Win32.FraudPack.anec file: http://elnkvdgtbui.com/nte/nov.php/eH9243dc7cV03008f35002R58de5cb3102Td9ce8e23Q000002fa901801F002d000aJ0d000601l0409K7874694030dP000601080
Same here
detected: Trojan program Trojan.Win32.FraudPack.anec file: http://elnkvdgtbui.com/nte/nov.php/eH9243dc7cV03008f35002R58de5cb3102Td9ce8e1eQ000002fa901801F002d000aJ0d000601l0409K787469403180
detected: Trojan program Trojan.Win32.FraudPack.anec file: http://elnkvdgtbui.com/nte/nov.php/eH9243dc7cV03008f35002R58de5cb3102Td9ce8e23Q000002fa901801F002d000aJ0d000601l0409K7874694030dP000601080
Wickedfire might be serving (NON CONFIRMATION [JS/PDF exploit]) malware (pretty sure)
At 10:01am today I received an alert from Outpost security that an exe was requesting privileges, DNS access and internet access to an address. The application was identified as:
C:\Documents and Settings\Me\Local Settings\Application Data\wwmsbb\eckesftav.exe
After going through the HTTP log, here is what happened. The first malware URl requested was at:
10:01:40 AM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 209
The next URLs were similar to the requested URLs in the attack at 12:40, as seen below except, but it did not go to elnkvdgtbui.com/nte/NOV.php going to the .py immedietly. I'm pretty sure of this. Also, there were no redundent requests by Java in the HTTP log. Java.exe did not request the hashed URL multiple times. It may because I blocked the program quickly. In outpost security you dont have an option to select and copy mutliple HTTP requests from the log and I didn't copy the HTTP requests at 10:01am. I'll try to find out if there is a saved log. At the time I wasn't sure if wickedfire was involved, but it seems that way now.
At 12:40 after visiting wickedfire.com I received an alert from Outpost security requesting similar privileges and the executable was found at:
C:\Documents and Settings\Me\Local Settings\Application Data\eohjvq\cmjhsftav.exe
I copied the HTTP requests (it's really slow to do so in Outpost security. Right click in Outpost security takes probably 3 seconds to open up)
12:39:17 PM FIREFOX.EXE wickedfire.com/ Text 325
12:39:17 PM FIREFOX.EXE WickedFire - Affiliate Marketing Forum - Internet Marketing Webmaster SEO Forum - Powered by vBulletin Text 21451
12:39:18 PM FIREFOX.EXE Advertisement Text 351
12:39:18 PM FIREFOX.EXE Advertisement Text 352
12:39:18 PM FIREFOX.EXE Advertisement Text 352
12:39:18 PM FIREFOX.EXE wickedfire.com/images/statusicon/copeacforum_old.gif Text 361
12:39:19 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=71&campaignid=51&zoneid=1&loc=http%3A%2F%2Fwww.wickedfire.com%2F&cb=a046f9196d Image 526
12:39:19 PM FIREFOX.EXE google-analitics.net/ga.js?counter=43 Text 267
12:39:19 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=68&campaignid=48&zoneid=6&loc=http%3A%2F%2Fwww.wickedfire.com%2F&cb=d42a3ce2d4 Image 526
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 210
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php Text 8982
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 209
12:39:20 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.py Text 151
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php/jHe21764e6V03008f35002R58de5cb3102Ta99a29bcQ000002fc901801F0020000aJ00000000L656e2d55530000000000K3c563e1e Active Content 1066
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html Text 9118
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e317 application/pdf 38524
12:39:22 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html/jU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29bdQ000002fc901801F0020000aJ00000000L656e2d55530000000000Kb3768197 Active Content 1258
12:39:23 PM FIREFOX.EXE www.wickedfire.com/affiliate-marketing/85331-pulse-360-state-union-new-post.html Text 437
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e303 application/octet-stream 1255
12:39:23 PM FIREFOX.EXE www.wickedfire.com/showthread.php?p=786281 Text 578
12:39:23 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197317 application/pdf 39282
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197303 application/octet-stream 1335
12:39:23 PM FIREFOX.EXE www.wickedfire.com/affiliate-marketing/85331-pulse-360-state-union.html Text 19315
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e303 application/octet-stream 1255
12:39:24 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197303 application/octet-stream 1335
12:39:24 PM FIREFOX.EXE Advertisement Text 680
12:39:24 PM FIREFOX.EXE www.wickedfire.com/images/statusicon/user_offline.gif Image 1939
12:39:24 PM FIREFOX.EXE www.wickedfire.com/image.php?u=41521&dateline=1240580439 Image 529
12:39:25 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/eU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29b8Q000002fc901801F0020000aJ0e000601l0409Kb37681973180 application/octet-stream 43347
12:39:25 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/eHe21764e6V03008f35002R58de5cb3102Ta99a29bbQ000002fc901801F0020000aJ0e000601l0409K3c563e1e3180 application/octet-stream 277589
12:39:25 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=71&campaignid=51&zoneid=1&loc=http%3A%2F%2Fwww.wickedfire.com%2Faffiliate-marketing%2F85331-pulse-360-state-union.html&cb=8e599b8054 Image 526
I JUST RECEIVED ALERTS FROM OUTPOST that Notepad++ and Bleachbit, 2 currently running applications are trying to access another applications memory. The target application is labeled "Physical Memory". This has never happened before. I am quite certain I have been comporomised by one of these 2 executables as they gained control of a generic svchost.exe.
Here is the analysis on the files:
Virustotal. MD5: dd4f505d73a3935c9d51bf0a0d9f20eb Trojan.FraudPack.anec Win32/Adware.SpyProtector Trojan:Win32/FakeSpypro
This is a browser exploit that does need your confirmation to download the malware. I was under the impression that these PDF exploits only worked for Adobe Reader 7.0-8.0 but apparently I was wrong.
At 10:01am today I received an alert from Outpost security that an exe was requesting privileges, DNS access and internet access to an address. The application was identified as:
C:\Documents and Settings\Me\Local Settings\Application Data\wwmsbb\eckesftav.exe
After going through the HTTP log, here is what happened. The first malware URl requested was at:
10:01:40 AM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 209
The next URLs were similar to the requested URLs in the attack at 12:40, as seen below except, but it did not go to elnkvdgtbui.com/nte/NOV.php going to the .py immedietly. I'm pretty sure of this. Also, there were no redundent requests by Java in the HTTP log. Java.exe did not request the hashed URL multiple times. It may because I blocked the program quickly. In outpost security you dont have an option to select and copy mutliple HTTP requests from the log and I didn't copy the HTTP requests at 10:01am. I'll try to find out if there is a saved log. At the time I wasn't sure if wickedfire was involved, but it seems that way now.
At 12:40 after visiting wickedfire.com I received an alert from Outpost security requesting similar privileges and the executable was found at:
C:\Documents and Settings\Me\Local Settings\Application Data\eohjvq\cmjhsftav.exe
I copied the HTTP requests (it's really slow to do so in Outpost security. Right click in Outpost security takes probably 3 seconds to open up)
12:39:17 PM FIREFOX.EXE wickedfire.com/ Text 325
12:39:17 PM FIREFOX.EXE WickedFire - Affiliate Marketing Forum - Internet Marketing Webmaster SEO Forum - Powered by vBulletin Text 21451
12:39:18 PM FIREFOX.EXE Advertisement Text 351
12:39:18 PM FIREFOX.EXE Advertisement Text 352
12:39:18 PM FIREFOX.EXE Advertisement Text 352
12:39:18 PM FIREFOX.EXE wickedfire.com/images/statusicon/copeacforum_old.gif Text 361
12:39:19 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=71&campaignid=51&zoneid=1&loc=http%3A%2F%2Fwww.wickedfire.com%2F&cb=a046f9196d Image 526
12:39:19 PM FIREFOX.EXE google-analitics.net/ga.js?counter=43 Text 267
12:39:19 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=68&campaignid=48&zoneid=6&loc=http%3A%2F%2Fwww.wickedfire.com%2F&cb=d42a3ce2d4 Image 526
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 210
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php Text 8982
12:39:19 PM FIREFOX.EXE elnkvdgtbui.com/ld/nov/ Text 209
12:39:20 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.py Text 151
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php/jHe21764e6V03008f35002R58de5cb3102Ta99a29bcQ000002fc901801F0020000aJ00000000L656e2d55530000000000K3c563e1e Active Content 1066
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html Text 9118
12:39:21 PM FIREFOX.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e317 application/pdf 38524
12:39:22 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html/jU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29bdQ000002fc901801F0020000aJ00000000L656e2d55530000000000Kb3768197 Active Content 1258
12:39:23 PM FIREFOX.EXE www.wickedfire.com/affiliate-marketing/85331-pulse-360-state-union-new-post.html Text 437
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e303 application/octet-stream 1255
12:39:23 PM FIREFOX.EXE www.wickedfire.com/showthread.php?p=786281 Text 578
12:39:23 PM FIREFOX.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197317 application/pdf 39282
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197303 application/octet-stream 1335
12:39:23 PM FIREFOX.EXE www.wickedfire.com/affiliate-marketing/85331-pulse-360-state-union.html Text 19315
12:39:23 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/oHe21764e6V03008f35002R58de5cb3102Ta99a29bdQ000002fc901801F0020000aJ00000000l0409K3c563e1e303 application/octet-stream 1255
12:39:24 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/oU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29baQ000002fc901801F0020000aJ00000000l0409Kb3768197303 application/octet-stream 1335
12:39:24 PM FIREFOX.EXE Advertisement Text 680
12:39:24 PM FIREFOX.EXE www.wickedfire.com/images/statusicon/user_offline.gif Image 1939
12:39:24 PM FIREFOX.EXE www.wickedfire.com/image.php?u=41521&dateline=1240580439 Image 529
12:39:25 PM JAVA.EXE elnkvdgtbui.com/nte/avorp1nov.html/eU230d9c2eHe21764e6V03008f35002Rf55997a3102Ta99a29b8Q000002fc901801F0020000aJ0e000601l0409Kb37681973180 application/octet-stream 43347
12:39:25 PM JAVA.EXE elnkvdgtbui.com/nte/NOV.php/eHe21764e6V03008f35002R58de5cb3102Ta99a29bbQ000002fc901801F0020000aJ0e000601l0409K3c563e1e3180 application/octet-stream 277589
12:39:25 PM FIREFOX.EXE www.wickedfire.com/openx/www/delivery/lg.php?bannerid=71&campaignid=51&zoneid=1&loc=http%3A%2F%2Fwww.wickedfire.com%2Faffiliate-marketing%2F85331-pulse-360-state-union.html&cb=8e599b8054 Image 526
I JUST RECEIVED ALERTS FROM OUTPOST that Notepad++ and Bleachbit, 2 currently running applications are trying to access another applications memory. The target application is labeled "Physical Memory". This has never happened before. I am quite certain I have been comporomised by one of these 2 executables as they gained control of a generic svchost.exe.
Here is the analysis on the files:
Virustotal. MD5: dd4f505d73a3935c9d51bf0a0d9f20eb Trojan.FraudPack.anec Win32/Adware.SpyProtector Trojan:Win32/FakeSpypro
This is a browser exploit that does need your confirmation to download the malware. I was under the impression that these PDF exploits only worked for Adobe Reader 7.0-8.0 but apparently I was wrong.
Time Module Object Name Threat Action User Information
3/2/2010 10:28:28 AM IMON file http://elnkvdgtbui.com/nte/NOV.html...F002a000aJ11000601l0409K6f49334d30dP000201080
Win32/Adware.SpyProtector application quarantined - Connection terminated
What version of NOD32 is that?
OK I was wondering why my antivirus was acting up but couldn't figure out what website it was from.