Security → Net-Integration hacked just one moment ago!

Several members of net-integration forums ( »forums.net-integration.net ) received multiple identical e-mails with a link to a trojan. Just a moment after I reported this issue, the forum got hacked. Source code of the received e-mail (with the link disabled):

That is interesting....
I got three (3) emails...but didn't open any of them, as I thought...why would "net-integration" be sending me anything....so I deleted them all.
Now this is strange indeed.
Thanks for letting us know.
Cheers

The link to the forum ( »forums.net-integration.net/ ) yielded this at 11:20 AM EDT - offline for security purposes

Didn't you see the address field? The forum is redirected to »peace.emfc.com . I hope this redirection was done by a real admin to avoid more damage...

Confirmation from me.

I received the same mail. Since I'm running Linux, I decided to download the avp.exe file in order to scan it at jotti's. (I wouldn't have done this from within Windows, of course.) Several scanners there identified the file as a trojan downloader (with heuristics, it seemed, so this may be a new variant).

So, I went to net-integration and posted. While I was pasting in the scanner results, another thread was started. I went to edit my thread in order to include a link to the new thread, and at that point got the error message from peace.emfc.com.

In any case, no one needs to rescan the file at jotti's, etc. I will submit have submitted it to the list of AV companies in the FAQ, as well.

Yes, I saw it. My post is for information only and to document the result of going to the site at the time in case the result changes.

Per whois, efmc.com domain is owned by net-integration.

ht tp://efmc.com goes to a sales recruiting page for an undisclosed antispyware product. The fax number in the ad is very close to the number listed in WHOIS registration. With these things in mind, I'd surmise that it's a legitimate redirection.

Pisem.net traces to Russia, as far as Moscow - also appears to have an open mail relay.

I received two emails from them as well. They looked suspicious so I deleted them.

I had three of these emails. Needless to say, I didn't follow the link.

i received four such emails all sent within the span of 30 minutes, saying...

"Protect Your PC !!!

Please download antivirus protection" (with link)

i definitely did not open the link

I got 3 of those emails. Yahoo email shot them straight into my Bulk folder. I might have been tempted to open them, excepting for reading your advisory, so Thank You.

I did open the file (*)

When run, this trojan copies itself to C:\Windows\csrss.exe and also drops the file C:\Windows\dll.dll. The actual trojan is a password stealer that will attempt to grab your ICQ, email account, dialup and other passwords. Any found passwords are mailed to two russian email addresses.

If an Internet connection is available, the trojan will attempt to download and execute further files from a Hungarian web site. Unfortunately these files are no longer available and so could not be analyzed.

(*) On a lab machine. Do not attempt at home.

The forum was apparently hacked before the email was sent. Someone hacked in and got to the admin panel to send the emails. The site was shut down shortly afterward for security reasons. Several people at CastleCops.com have confirmed the file in the link contains a virus.

I got 3 of em this morning, in my MailWasherPro box, and I just deleted them. It seemed odd they would send me anything via email. But I didn't think to go to the site.

Hope they get things fixed up quickly.

... I've been waiting 4 days for a reply from them on a login problem - I wonder how long this has been going on, and if it's related ...

I just found three emails from *them* in my SBC-Yahoo junk email folder and promptly deleted them.

so does TH currently detect this trojan

I tried to download the file and I couldn't. IE rocks. However, I was successful in downloading the file useing firefox.

Here are jotti and virustotal results:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Dropped:Trojan.Small.AL
ClamAV Found Trojan.LdPinch-34
Dr.Web Found Trojan.PWS.LDPinch.400
F-Prot Antivirus Found unknown virus (probable variant)
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-PSW.Win32.LdPinch.gen
NOD32 Found a variant of Win32/PSW.LdPinch
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.LdPinch.27 (probable variant)

AntiVir 6.31.1.0 08.16.2005 no virus found
Avast 4.6.695.0 08.16.2005 Win32:Trojano-265
AVG 718 08.15.2005 no virus found
Avira 6.31.1.0 08.16.2005 no virus found
BitDefender 7.0 08.16.2005 Dropped:Trojan.Small.AL
CAT-QuickHeal 7.03 08.16.2005 (Suspicious) - DNAScan
ClamAV devel-20050725 08.15.2005 Trojan.LdPinch-34
DrWeb 4.32b 08.16.2005 Trojan.PWS.LDPinch.400
eTrust-Iris 7.1.194.0 08.16.2005 no virus found
eTrust-Vet 11.9.1.0 08.16.2005 no virus found
Fortinet 2.36.0.0 08.16.2005 suspicious
F-Prot 3.16c 08.16.2005 could be infected with an unknown virus
Ikarus 0.2.59.0 08.16.2005 Trojan.Win32.Small.AL
Kaspersky 4.0.2.24 08.16.2005 Trojan-PSW.Win32.LdPinch.gen
McAfee 4559 08.16.2005 PWS-LDPinch.gen.b
NOD32v2 1.1194 08.15.2005 a variant of Win32/PSW.LdPinch
Norman 5.70.10 08.16.2005 no virus found
Panda 8.02.00 08.15.2005 Trj/Ldpinch.gen
Sophos 3.96.0 08.16.2005 Troj/LdPnch-Fam
Sybari 7.5.1314 08.16.2005 Trojan-PSW.Win32.LdPinch.gen
Symantec 8.0 08.16.2005 no virus found
TheHacker 5.8.2.088 08.16.2005 no virus found
VBA32 3.10.4 08.16.2005 suspected of Trojan.LdPinch.27

Niether Ewido or A-squared detect the file when I scan it with them on demand.

It does with the latest update just released.

thanks for the heads up, ReGen

peace.emfc.com is the server that Net-Integration is on. I have been updating and submitting the file to the major AV and antitrojan vendors.

Net Integration was taken down by Eagle1 after he recieved news of the emails, in an attempt to protect users who have as of yet not recieved these emails.

Eagle1 is at present working towards a solution for this.

Is it adding an ICQ app.?
Total Uninstall Log:
+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis
(+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ
(+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ\DefaultPrefs
(+)(REG KEY) HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners
(+)(REG KEY) HKEY_CURRENT_USER\Software\RIT
(+)(REG KEY) HKEY_CURRENT_USER\Software\RIT\The Bat!

zonelabs doesn't detect it.....i believe they use CA's antivirus, have sent it over to them at CA, will see what they say

CA (aka e-Trust) does not detect this yet nor do Avg and Symantec. The files have been submitted to all 3 of them.

As for the ICQ question it adds the registry keys but as far as I have seen it doesnt add any software to go with them.

Perhaps someone who has the programs being added to the registry may be affected differently then i have been.

I will install the applications and see if I get any change in the behavior of the virus.

wat about Avast? Does it detect it? Do they know about it?

I just checked my email and had 2 copies of the virus and immediately deleted them!!!

The three emails were also awaiting me when I went online an hour ago (8am Downunder) and after viewing them through Properties>Message Source, promptly deleted them ---- why would Net-Integration be sending me anything.

i just learned that BOClean has had this covered for more than a week now

I have saved this trojan with KAV icon for my trojan collection

N-I is back up: »forums.net-integration.n ··· ic=32730

said by "Eagle1":

---

Net-Integration is not sending any spam but only appears to be doing so. The net-integration domain account account was disabled for the majority of the day while the source of the spamming was sought. The ISP (»pisem.net) that is hosting malware was notified several hours ago and they have not done anything about it so far.

Logs are being reviewed to determine if source can be identified. Will keep posted.

---

Hmmm… On my PC BoClean only recognised the file after the second update yesterday.
TH also detected it yesterday, Ewido still doesn’t.