1 recommendation |
Net-Integration hacked just one moment ago!Several members of net-integration forums ( » forums.net-integration.net ) received multiple identical e-mails with a link to a trojan. Just a moment after I reported this issue, the forum got hacked. Source code of the received e-mail (with the link disabled): X-Message-Status: n X-SID-PRA: eagle1@peace.emfc.com X-SID-Result: TempError X-Message-Info: P6ocH0G7nHBlfQzc98R2MJBOUZKh6KE6Xa0aHYSFpzc= Received: from peace.emfc.com ([67.43.1.57]) by mc4-f37.hotmail.com with Microsoft SMTPSVC *(6.0.3790.211); Tue, 16 Aug 2005 07:05:36 -0700 Received: from eagle1 by peace.emfc.com with local (Exim 4.44) id 1E5168-0007dh-BW; Tue, 16 Aug 2005 09:03:20 -0400 To: webmaster@net-integration.net Subject: Protect Your PC !!! ( From Net-Integration Forums ) From: "Net-Integration Forums" <webmaster@net-integration.net> X-Priority: 3 X-Mailer: IPB PHP Mailer Message-Id: <E1E5168-0007dh-BW@peace.emfc.com> Sender: <eagle1@peace.emfc.com> Date: Tue, 16 Aug 2005 09:03:20 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - peace.emfc.com X-AntiAbuse: Original Domain - hotmail.com X-AntiAbuse: Originator/Caller UID/GID - [32004 32009] / [47 12] X-AntiAbuse: Sender Address Domain - peace.emfc.com X-Source: /usr/bin/php X-Source-Args: /usr/bin/php admin.php X-Source-Dir: net-integration.net:/public_html/forums Return-Path: eagle1@peace.emfc.com X-OriginalArrivalTime: 16 Aug 2005 14:05:37.0548 (UTC) FILETIME=[93D72CC0:01C5A26B]
Protect Your PC !!!
Please download antivirus protection antivirusprotection.pisem.net/avp.exe
(*) WARNING 1 long line(s) split |
|
|
FredraUndesirable Alien join:2000-04-08 Nepean, ON 1 edit |
Fredra
Member
2005-Aug-16 11:13 am
That is interesting.... I got three (3) emails...but didn't open any of them, as I thought...why would "net-integration" be sending me anything....so I deleted them all. Now this is strange indeed. Thanks for letting us know. Cheers |
|
EGeezer Premium Member join:2002-08-04 Midwest 1 edit |
to erwin_mi
Net-Integration page -11:20 AM EDTThe link to the forum ( » forums.net-integration.net/ ) yielded this at 11:20 AM EDT - offline for security purposes |
|
|
Didn't you see the address field? The forum is redirected to » peace.emfc.com . I hope this redirection was done by a real admin to avoid more damage... |
|
sybilleNot only "just visiting" Premium Member join:2004-04-06 France 4 edits |
to erwin_mi
Re: Net-Integration hacked just one moment ago!Confirmation from me.
I received the same mail. Since I'm running Linux, I decided to download the avp.exe file in order to scan it at jotti's. (I wouldn't have done this from within Windows, of course.) Several scanners there identified the file as a trojan downloader (with heuristics, it seemed, so this may be a new variant).
So, I went to net-integration and posted. While I was pasting in the scanner results, another thread was started. I went to edit my thread in order to include a link to the new thread, and at that point got the error message from peace.emfc.com.
In any case, no one needs to rescan the file at jotti's, etc. I will submit have submitted it to the list of AV companies in the FAQ, as well. |
|
EGeezer Premium Member join:2002-08-04 Midwest 4 edits |
to erwin_mi
Re: Net-Integration page -11:20 AM EDTYes, I saw it. My post is for information only and to document the result of going to the site at the time in case the result changes.
Per whois, efmc.com domain is owned by net-integration.
ht tp://efmc.com goes to a sales recruiting page for an undisclosed antispyware product. The fax number in the ad is very close to the number listed in WHOIS registration. With these things in mind, I'd surmise that it's a legitimate redirection.
Pisem.net traces to Russia, as far as Moscow - also appears to have an open mail relay. |
|
Sysadmin Premium Member join:2000-07-07 Elk Grove, CA |
to erwin_mi
Re: Net-Integration hacked just one moment ago!I received two emails from them as well. They looked suspicious so I deleted them. |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England |
to erwin_mi
I had three of these emails. Needless to say, I didn't follow the link. |
|
|
to erwin_mi
i received four such emails all sent within the span of 30 minutes, saying...
"Protect Your PC !!!
Please download antivirus protection" (with link)
i definitely did not open the link |
|
cacrollEventually, Prozac becomes normal Premium Member join:2002-07-25 Martinez, CA |
to erwin_mi
I got 3 of those emails. Yahoo email shot them straight into my Bulk folder. I might have been tempted to open them, excepting for reading your advisory, so Thank You. |
|
MagnusM Premium Member join:2001-07-07
3 recommendations |
to erwin_mi
I did open the file (*)When run, this trojan copies itself to C:\Windows\csrss.exe and also drops the file C:\Windows\dll.dll. The actual trojan is a password stealer that will attempt to grab your ICQ, email account, dialup and other passwords. Any found passwords are mailed to two russian email addresses. If an Internet connection is available, the trojan will attempt to download and execute further files from a Hungarian web site. Unfortunately these files are no longer available and so could not be analyzed. (*) On a lab machine. Do not attempt at home. |
|
suzi5 Premium Member join:2004-05-01 |
to erwin_mi
The forum was apparently hacked before the email was sent. Someone hacked in and got to the admin panel to send the emails. The site was shut down shortly afterward for security reasons. Several people at CastleCops.com have confirmed the file in the link contains a virus. |
|
|
to erwin_mi
I got 3 of em this morning, in my MailWasherPro box, and I just deleted them. It seemed odd they would send me anything via email. But I didn't think to go to the site.
Hope they get things fixed up quickly. |
|
antiseriousThe Future ain't what it used to be Premium Member join:2001-12-12 Scranton, PA |
to erwin_mi
... I've been waiting 4 days for a reply from them on a login problem - I wonder how long this has been going on, and if it's related ...
|
|
SirSteve Premium Member join:2003-11-28 Woodbury, CT |
SirSteve
Premium Member
2005-Aug-16 2:04 pm
I just found three emails from *them* in my SBC-Yahoo junk email folder and promptly deleted them. |
|
|
to MagnusM
so does TH currently detect this trojan |
|
bpm3k join:2004-08-15 Simi Valley, CA 3 edits |
bpm3k
Member
2005-Aug-16 2:55 pm
I tried to download the file and I couldn't. IE rocks. However, I was successful in downloading the file useing firefox. Here are jotti and virustotal results: AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found Dropped:Trojan.Small.AL ClamAV Found Trojan.LdPinch-34 Dr.Web Found Trojan.PWS.LDPinch.400 F-Prot Antivirus Found unknown virus (probable variant) Fortinet Found nothing Kaspersky Anti-Virus Found Trojan-PSW.Win32.LdPinch.gen NOD32 Found a variant of Win32/PSW.LdPinch Norman Virus Control Found nothing UNA Found nothing VBA32 Found Trojan.LdPinch.27 (probable variant) AntiVir 6.31.1.0 08.16.2005 no virus found Avast 4.6.695.0 08.16.2005 Win32:Trojano-265 AVG 718 08.15.2005 no virus found Avira 6.31.1.0 08.16.2005 no virus found BitDefender 7.0 08.16.2005 Dropped:Trojan.Small.AL CAT-QuickHeal 7.03 08.16.2005 (Suspicious) - DNAScan ClamAV devel-20050725 08.15.2005 Trojan.LdPinch-34 DrWeb 4.32b 08.16.2005 Trojan.PWS.LDPinch.400 eTrust-Iris 7.1.194.0 08.16.2005 no virus found eTrust-Vet 11.9.1.0 08.16.2005 no virus found Fortinet 2.36.0.0 08.16.2005 suspicious F-Prot 3.16c 08.16.2005 could be infected with an unknown virus Ikarus 0.2.59.0 08.16.2005 Trojan.Win32.Small.AL Kaspersky 4.0.2.24 08.16.2005 Trojan-PSW.Win32.LdPinch.gen McAfee 4559 08.16.2005 PWS-LDPinch.gen.b NOD32v2 1.1194 08.15.2005 a variant of Win32/PSW.LdPinch Norman 5.70.10 08.16.2005 no virus found Panda 8.02.00 08.15.2005 Trj/Ldpinch.gen Sophos 3.96.0 08.16.2005 Troj/LdPnch-Fam Sybari 7.5.1314 08.16.2005 Trojan-PSW.Win32.LdPinch.gen Symantec 8.0 08.16.2005 no virus found TheHacker 5.8.2.088 08.16.2005 no virus found VBA32 3.10.4 08.16.2005 suspected of Trojan.LdPinch.27 Niether Ewido or A-squared detect the file when I scan it with them on demand. |
|
ReGen join:2003-07-24 Scotland |
to boblandy2
said by boblandy2:so does TH currently detect this trojan It does with the latest update just released. |
|
|
thanks for the heads up, ReGen |
|
1 edit |
to erwin_mi
peace.emfc.com is the server that Net-Integration is on. I have been updating and submitting the file to the major AV and antitrojan vendors.
Net Integration was taken down by Eagle1 after he recieved news of the emails, in an attempt to protect users who have as of yet not recieved these emails.
Eagle1 is at present working towards a solution for this. |
|
catseyenuAck Pfft Premium Member join:2001-11-17 Fix East |
to MagnusM
Is it adding an ICQ app.? Total Uninstall Log: +)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis (+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ (+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ\DefaultPrefs (+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners (+)(REG KEY) HKEY_CURRENT_USER\Software\RIT (+)(REG KEY) HKEY_CURRENT_USER\Software\RIT\The Bat! |
|
BKayrac Premium Member join:2001-09-29 |
BKayrac
Premium Member
2005-Aug-16 5:02 pm
zonelabs doesn't detect it.....i believe they use CA's antivirus, have sent it over to them at CA, will see what they say |
|
1 recommendation |
to erwin_mi
CA (aka e-Trust) does not detect this yet nor do Avg and Symantec. The files have been submitted to all 3 of them.
As for the ICQ question it adds the registry keys but as far as I have seen it doesnt add any software to go with them.
Perhaps someone who has the programs being added to the registry may be affected differently then i have been.
I will install the applications and see if I get any change in the behavior of the virus. |
|
MikeG Premium Member join:2004-10-02 Hamilton, ON |
MikeG
Premium Member
2005-Aug-16 6:40 pm
said by Atribune:CA (aka e-Trust) does not detect this yet nor do Avg and Symantec. The files have been submitted to all 3 of them. wat about Avast? Does it detect it? Do they know about it? |
|
the_w0p join:2002-12-01 Davenport, IA |
I just checked my email and had 2 copies of the virus and immediately deleted them!!! |
|
AlwillLost time is never found again. Premium Member join:2002-09-25 Sydney, OZ |
to erwin_mi
The three emails were also awaiting me when I went online an hour ago (8am Downunder) and after viewing them through Properties>Message Source, promptly deleted them ---- why would Net-Integration be sending me anything. |
|
1 recommendation |
to erwin_mi
i just learned that BOClean has had this covered for more than a week now |
|
47717768 (banned) join:2003-12-08 Birmingham, AL |
to erwin_mi
I have saved this trojan with KAV icon for my trojan collection |
|
Corrine Premium Member join:2004-08-27
2 recommendations |
to erwin_mi
N-I is back up: » forums.net-integration.n ··· ic=32730said by "Eagle1": Net-Integration is not sending any spam but only appears to be doing so. The net-integration domain account account was disabled for the majority of the day while the source of the spamming was sought. The ISP (»pisem.net) that is hosting malware was notified several hours ago and they have not done anything about it so far.
Logs are being reviewed to determine if source can be identified. Will keep posted.
|
|
ReGen join:2003-07-24 Scotland |
to boblandy2
said by boblandy2:i just learned that BOClean has had this covered for more than a week now Hmmm
On my PC BoClean only recognised the file after the second update yesterday. TH also detected it yesterday, Ewido still doesnt. |
|