site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > [Hacked] DarkMailer?

Search Topic:
 Uniqs:
5809		 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
page: 1 · 2
AuthorAll Replies


elias
Premium,VIP
join:2000-07-24
Miami, FL

reply to Snowy

Re: [Hacked] DarkMailer?

said by Snowy:

Elias, I had no doubt you would succesfully sort through it all. The Symantec detection of dm.exe is interesting since it seems to be the only AV to do so.
I'll try to post a log from SAV10.
--
My Webmaster Gig | Crunching the Midnight Oil
to forum · permalink · 2006-06-23 07:44:39 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

reply to major marco
Does anyone know how the guy was able to do a file transfer? As far as I know, VNC doesn't have a built-in file transfer feature. So I'm wondering how he got that onto her My Documents folder.
--
My Webmaster Gig | Crunching the Midnight Oil

to forum · permalink · 2006-06-23 07:45:25 ·


WeenieBoy

join:2003-06-25
Pasadena, MD

ftp ? or http. once he has the desktop he is you.

to forum · permalink · 2006-06-23 10:02:51 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

said by WeenieBoy:

ftp ? or http. once he has the desktop he is you.
Duh. Of course. I should have checked the history in IE/Fx.
--
My Webmaster Gig | Crunching the Midnight Oil
to forum · permalink · 2006-06-23 10:28:22 ·


SpannerITWks
Premium
join:2005-04-22

reply to elias
I'm still wondering why AV's etc didn't detect it, unless it was a new/different version/nasty ! As there are more details about several others having knowledge + detection etc here -

dm.exe

Nov 2001 - »forums.windrivers.com/archive/in···255.html

Aug 2005 - darkmailer.exe - »fileinfo.prevx.com/filesearch.asp

March 2006 - »www3.ca.com/securityadvisor/pest···53097812

May 2006 - darkmailer - 390 Unique Executables Have Been Seen To Use The FileName: dm.exe since Jul 15 2005 The executables displayed below, have at some point, all been seen to use this name. They are shown along with their most commonly used file name and location. -»fileinfo.prevx.com/filesearch.asp

Who has that file that was uploaded to Jottis ?

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

to forum · permalink · 2006-06-23 14:29:41 ·


fatdcuk

@aol.com

reply to elias
Have you checked to see if any other files have been deposited by the visitor ?

to forum · permalink · 2006-06-23 15:26:17 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

said by fatdcuk :

Have you checked to see if any other files have been deposited by the visitor ?
I'm still searching the entire drive for all files modified on that day.

I found in the Internet Explorer history the site from which the file was downloaded. I'll post a screenshot later on.
--
My Webmaster Gig | Crunching the Midnight Oil
to forum · permalink · 2006-06-23 17:37:20 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

reply to SpannerITWks

said by SpannerITWks:

I'm still wondering why AV's etc didn't detect it, unless it was a new/different version/nasty ! As there are more details about several others having knowledge + detection etc here -
Here are the event viewer entries for SAV:
Event Type:Error
Event Source:Symantec AntiVirus
Event Category:None
Event ID:46
Date:6/21/2006
Time:1:46:45 PM
User:N/A
Computer:SYLVIA
Description:

Security Risk Found!Threat: Trojan Horse in File: C:\DOCUME~1\Sylvi\MYDOCU~1\DM119P~1\DM.exe by: Auto-Protect scan.  Action: Quarantine succeeded.  Action Description: The file was quarantined successfully.
Event Type:Error
Event Source:Symantec AntiVirus
Event Category:None
Event ID:5
Date:6/21/2006
Time:1:46:45 PM
User:N/A
Computer:SYLVIA
Description:

Threat Found!Threat: Trojan Horse in File: C:\Documents and Settings\Sylvi\My Documents\dm119pro-v2\DM.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
Event Type:Error
Event Source:Symantec AntiVirus
Event Category:None
Event ID:51
Date:6/21/2006
Time:1:46:49 PM
User:N/A
Computer:SYLVIA
Description:

Security Risk Found!Threat: Trojan Horse in File: C:\DOCUME~1\Sylvi\MYDOCU~1\DM119P~1\DM.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
Here are the event viewer entries for VNC:
Event Type:Information
Event Source:WinVNC4
Event Category:None
Event ID:1
Date:6/21/2006
Time:10:17:42 AM
User:N/A
Computer:SYLVIA
Description:
Connections: accepted: 72.57.57.234::61898 
Event Type:Information
Event Source:WinVNC4
Event Category:None
Event ID:1
Date:6/21/2006
Time:10:17:44 AM
User:N/A
Computer:SYLVIA
Description:
Connections: closed: 72.57.57.234::61898 (Clean disconnection)  
Event Type:Information
Event Source:WinVNC4
Event Category:None
Event ID:1
Date:6/21/2006
Time:1:43:37 PM
User:N/A
Computer:SYLVIA
Description:
Connections: accepted: 172.168.216.89::3098

--
My Webmaster Gig | Crunching the Midnight Oil
to forum · permalink · 2006-06-23 17:49:32 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

Here is the IP Address Information and WHOIS for the two IPs that connected. One is from Rogers Cable (Canada) and the other is from AOL (could be a compromised AOL account).

IP Information for 72.57.57.234 (Rogers Cable)
said by »www.dnsstuff.com/tools/ipall.ch?···7.57.234 :

IP address: 72.57.57.234
Reverse DNS: cpe0013461681a1-cm000a739b5e8e.cpe.net.cable.rogers.com.
Reverse DNS authenticity: [Verified]
ASN: 812
ASN Name: ROGERS-CABLE
IP range connectivity: 4
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 72.56.0.0 to 72.63.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontario
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 72.57.57.234
WHOIS for 72.57.57.234 (Rogers Cable)
said by »www.dnsstuff.com/tools/whois.ch?···ache=off :

OrgName: Rogers Cable Inc.
OrgID: ROCA
Address: One Mount Pleasant
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA

NetRange: 72.56.0.0 - 72.63.255.255
CIDR: 72.56.0.0/13
NetName: ROGERS-CAB-15
NetHandle: NET-72-56-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS2.WLFDLE.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.WLFDLE.RNC.NET.CABLE.ROGERS.COM
Comment:
RegDate: 2005-06-22
Updated: 2005-10-28

RTechHandle: IPMAN-ARIN
RTechName: IP MANAGE
RTechPhone: +1-416-935-4729
RTechEmail: ********@rogers.wave.ca

OrgAbuseHandle: RHI9-ARIN
OrgAbuseName: Rogers High-Speed Internet
OrgAbusePhone: +1-416-935-4729
OrgAbuseEmail: *****@rogers.com

OrgTechHandle: RHI9-ARIN
OrgTechName: Rogers High-Speed Internet
OrgTechPhone: +1-416-935-4729
OrgTechEmail: *****@rogers.com

# ARIN WHOIS database, last updated 2006-06-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
IP Information for 172.168.216.89 (AOL)
said by »www.dnsstuff.com/tools/ipall.ch?···8.216.89 :

IP address: 172.168.216.89
Reverse DNS: aca8d859.ipt.aol.com.
Reverse DNS authenticity: [Verified]
ASN: 8176
ASN Name: NETSCAPE-ASN
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 172.128.0.0 to 172.191.255.255
Country fraud profile: Normal
City (per outside source): Reston, Virginia
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 172.168.216.89
WHOIS for 172.168.216.89 (AOL)
said by »www.dnsstuff.com/tools/whois.ch?···ache=off :

OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
NetName: AOL-172BLK
NetHandle: NET-172-128-0-0-1
Parent: NET-172-0-0-0-0
NetType: Direct Allocation
NameServer: DAHA-01.NS.AOL.COM
NameServer: DAHA-02.NS.AOL.COM
NameServer: DAHA-07.NS.AOL.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-03-24
Updated: 2003-08-08

RTechHandle: AOL-NOC-ARIN
RTechName: America Online, Inc.
RTechPhone: +1-703-265-4670
RTechEmail: *******@aol.net

OrgAbuseHandle: AOL382-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-265-4670
OrgAbuseEmail: *****@aol.net

OrgNOCHandle: AOL236-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-703-265-4670
OrgNOCEmail: ***@aol.net

OrgTechHandle: AOL-NOC-ARIN
OrgTechName: America Online, Inc.
OrgTechPhone: +1-703-265-4670
OrgTechEmail: *******@aol.net

# ARIN WHOIS database, last updated 2006-06-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

--
My Webmaster Gig | Crunching the Midnight Oil
to forum · permalink · 2006-06-23 18:08:03 ·


SpannerITWks
Premium
join:2005-04-22

elias

Hows the clean up going, good i hope !

Do you have a copy of dm.exe or any other files linked with it, could you Zip/Rar em + send it/them to me via a - »rapidshare.de/ - link ?

Thanx

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

to forum · permalink · 2006-06-23 21:07:38 ·


SpannerITWks
Premium
join:2005-04-22
1 edit

reply to elias
Further to our convos + receiving your file etc, i've had some more time to look @ the - dm119pro - file = SpamBot nasty.

It's a Phish on the SunTrust Bank which sends out tons of emails to numerous Addys in there, which get passed on + on. Amongst other things included in there is a Russian send to email Addy - aligatorx@k.ro - This is what i've discovered about the Phish email.

-

Dear SunTrust Bank Member,

Our security maintanance system indicates that your SunTrust banking account must be validated. We do that on regulary basis to keep your account up-to-date. If you received this notice and you are not the authorized account holder and you find account validation as an error, disregard the message or contact us at validation@www.suntrust.com . However,if you are the rightfull holder of the account, click on the link below,fill the form and then submit as we try to verify your identity.

https: //206.32.152.67/?internetBanking?RequestRouter?requestCmdId?DisplayLoginPage = ( DEAD LINK + not much whois )

https: //mysolutions.suntrust.com/authfiles/login.asp = ( APPEARS VALID )

SunTrust Bank is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law. Thanks for your patience as we work together to protect your account.

Regards,

SunTrust Bank Security Department.

-

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

to forum · permalink · 2006-06-26 03:12:09 ·


elias
Premium,VIP
join:2000-07-24
Miami, FL

Yes, I had noticed the txt file with the HTML for the above message. I believe it was being delivered to AOL users whos addresses started with the letter L.
--
My Webmaster Gig | Crunching the Midnight Oil

to forum · permalink · 2006-06-27 08:25:49 ·
Forums > Broadband Tech > Security > Security
page: 1 · 2

Monday, 28-May 01:40:37 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics