"Waitman C. Gobble" <waitmanat_private> wrote: > I have found more information regarding my original 030.com post. > > The machine that is infected is running Windows XP Professional with all > service packs and hotfixes. > > Additionally, it is running Norton Antivirus 2003 with the latest > database, and the machine checks clean. > > There is a file running on boot: > > C:\WINDOWS\WinStart.exe (the date of this file is November 11, 2002) > > The file properties indicate that it originates from IGetNet, LLC. The > whois information shows that this is the owner of ignkeywords.com Seems as if either the user has cluelessly agreed to installing the "IGetNet (IGN) Keywords" browser "extension" (which locates sites registered to "keywords' at IGetNet by typing those keywords into the "location" or "address" bar of their browser) or some site silently installs the same via some browser security flaw (the IGetNet keywords extension installer is utterly silent once you accept the signed ActiveX control anyway -- I did not try the Netscape-compatible version the website alleges exists). When run, the IE version copies the main EXE to %windir%\system (yes, even on NT-based OSes) and also unpacks BHO.DLL and RSP.DLL to that directory. It also sets a registry value named WinStart under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run "<path>WinStart.exe -boot", which ensures the DLLs are unpacked (and replaced) at each system startup. It also adds the following domain redirects to your system's HOSTS file: 216.177.73.139 auto.search.msn.com 216.177.73.139 search.netscape.com 216.177.73.139 ieautosearch This "utility" does not add "uninstall" information to the registry, so cannot be uninstaleld through the usual means. An uninstaller is available from the download page of IGetNet's web site, should you trust them to properly uninstall the beast: http://igetnet.com/iGetNet_IGNDownloads.html This seems to leave one of the DLLs but removes the other, the HOSTS entries and WinStart.exe. > Also, this file exists: C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf. Not sure about that -- didn't see it myself, but then I only let it run for a few minutes... > The machine now seems to go to ignkeywords.com, however sometimes it > goes to 030.com, which is what we originally observed. The IGN Keywords product depends on a registration database which I guess is centrally maintained, so it has to report keyword attempts to the server to get the correct URL to redirect the browser to. Aside from that, ignkeywords.com is 216.177.73.139. > The WinStart file is labelled as a "Browser Upgrade" in the file > properties thingy. I guess "upgrade" is a relative term... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 14:08:47 PST