1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

New Yahoo Messenger Hijacker Trojan - An Indepth Explanation And Solution

Discussion in 'General Chat' started by -Abhishek-, Oct 9, 2006.

  1. #1
    So today, like any other day, I logged on to Yahoo Messenger only to be stormed by PMs from about 7 of my clients (serious people, for that matter) with kiddish text, smilies and a link to a common site. It didn’t take time for me to realise that something was very-very wrong here.

    I began exploring and researching about it and even tried the link on various browsers on an old machine I have. My research drew a few conclusion. A few of you might be interested to read on.

    This apparently is a new trojan that infects Internet Explorer and is a bait to get ad revenue.

    Conclusions (Confirmed)
    1. It uses msinet.ocx and web browser control for communicating with websites or downloading more file.
    2. It begins by adding an unusual taskkil.exe in your System32 directory, which is a program to kill System Processes.
    3. Creates a batch script located at C:\killav.bat to kill antiviruses.
    4. It accesses XXX, where the developer may enter commands for the application to update itselves.
    5. It then begins access to XXXX, which shows adbrite ads when opened in Firefox, maybe there is an autoclicking feature encoded.
    6. It downloads the executable from YYY which it then renames to svchost32.exe
    7. It also downloads the executable at YYYY

    The developer seems to want this trojan to be termed “Termex” since he owns the domain Mytermex(dot)com (Donot Visit this Site) and has directories named “Termex” on the server where he hosts his Executables!

    The code is no doubt a good one, but I’d have preferred if he must’ve used this knowledge for good. Now apparently this doesn’t seem to affect FireFox/Mozilla and Opera Browsers (Note the apparently) but IE users are doomed.

    I am Infected! Now what ?
    Don’t Panic Tech Guru has written a nice tutorial to save yourself from this Trojan, I haven’t tried it yet, but from the look of it ,it appears that it’ll work. So go ahead and find it here
    http://www.newsfactor.com/blog_article.php?aid=305161

    How does this spread ?
    I am not aware of the other mediums but yes, I mselves have witnessed this propogating through Yahoo Messenger, and there is a possibility that it may send your Yahoo ID/Password to the attacker.
    Possible PMs that you may get are

    These Message are generally very tempting and make you click on the link, but once you do, You’re doomed!

    !!!WARNING DONOT OPEN THE URLS BELOW IN YOUR BROWSER OR YOU MAY GET INFECTED!!!
    XXX = hxxp://giftshop.vn/update.txt
    XXXX = hxxp://www.myglobal-news.com
    YYY = hxxp://italiandirectory.com/termex/host2.exe
    YYYY = hxxp://italiandirectory.com/termex/host.exe

    Possible Domains Owned by the Developer of this Trojan
    hxxp://www.nsl-school.org
    hxxp://www.giftshop.vn
    hxxp://www.myglobal-news.com
    hxxp://www.italiandirectory.com

    I have managed to accumulate the above data, and will go on updating this post as I find more stuff.

    If you found this article then please DIGG IT
    SEMrush
    Original Article on my Blog

    Abhishek
     
    -Abhishek-, Oct 9, 2006 IP
    Smyrl likes this.
    SEMrush
  2. dotcompals

    dotcompals Prominent Member

    Messages:
    2,905
    Likes Received:
    254
    Best Answers:
    0
    Trophy Points:
    320
    #2
    Abhishek, thank you very much for this useful information
     
    dotcompals, Oct 9, 2006 IP
  3. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #3
    -Abhishek-, Oct 9, 2006 IP
    Bondat likes this.
  4. fordP

    fordP Peon

    Messages:
    548
    Likes Received:
    28
    Best Answers:
    0
    Trophy Points:
    0
    #4
    ouch, luckily i dont use IE. Thanks for the info
     
    fordP, Oct 10, 2006 IP
  5. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Nor do I, possibly this was why I was saved!

    When I got the Yahoo! PM, my first reaction was that maybe my client launched a new site and had PMed me to inform about it (though it's quite unusual for him to do that)

    But when I checked the link, I immediately found stuff to be wrong here!

    When I went back to my offlines, I noticed the same message from a few more of them and so it led me into investigating it and the above report was then created by me!

    If someone found it useful, then cheers!

    Abhishek
     
    -Abhishek-, Oct 10, 2006 IP
  6. Bondat

    Bondat Peon

    Messages:
    2,397
    Likes Received:
    217
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I hope my sister wont click it. Because sometimes they tend to click it eventhough I've warned them already. :D :D
     
    Bondat, Oct 10, 2006 IP
  7. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #7
    That's the primary reason why I have made the URLs Not Clickable! And have given warnings in bold!
    If they still goto the URLs ... then ...umm ... well you know it!
     
    -Abhishek-, Oct 10, 2006 IP
  8. pro_flash_4_u

    pro_flash_4_u Guest

    Messages:
    38
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Solve all your problems, get a mac!
     
    pro_flash_4_u, Oct 10, 2006 IP
  9. RedruM*

    RedruM* Peon

    Messages:
    626
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    0
    #9
    do you have to download it , or just go to the link ?
     
    RedruM*, Oct 10, 2006 IP
  10. Seiya

    Seiya Peon

    Messages:
    4,666
    Likes Received:
    404
    Best Answers:
    0
    Trophy Points:
    0
    #10
    With ie,just go to the link for sure lol. Im at school, its so tempting to check those links! :p

    ---

    ahh lol, i accidentaly got to the site through alexa and IE auto download the virus. however, the school antiviruse caught me and now im being escorted by security to the detention hall! hahah just kidding , but yeh the antivirus got it and delted it! :p
     
    Seiya, Oct 10, 2006 IP
  11. khasmoth

    khasmoth Well-Known Member

    Messages:
    1,211
    Likes Received:
    96
    Best Answers:
    0
    Trophy Points:
    165
    #11
    Heres the message I received this morning.
    Dont visit the link BTW
    
     Use this tool to remove viruses from your PC : http://myglobal-news.com/?id=virus_shield 
    Code (markup):
    [/quote]
    sylailing (10/11/2006 9:31:52 AM): oh my god , i've won a 20000 usd lottery :O http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !! >:D< 
    Code (markup):
     
    khasmoth, Oct 10, 2006 IP
  12. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Your Friend has been infected by the very same trojan I mentioned! Give him/her the above link!

    Abhishek
     
    -Abhishek-, Oct 10, 2006 IP
  13. khasmoth

    khasmoth Well-Known Member

    Messages:
    1,211
    Likes Received:
    96
    Best Answers:
    0
    Trophy Points:
    165
    #13
    Yeah thanks for this link. Just wondering if she manually send the link to me as well? Or it's automatic?
     
    khasmoth, Oct 10, 2006 IP
  14. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #14
    It's automatic, the trojan Hijacks Yahoo Messengers and send IM to the people in the list.

    It most likely imports the Address List from your Y! Messenger and utilises the "ymsgr:SendIM?Yahoo ID" to send those IMs to your list! Thereby propogating the link and infecting the people on the list!

    Abhishek
     
    -Abhishek-, Oct 10, 2006 IP
  15. Indian

    Indian Peon

    Messages:
    1,572
    Likes Received:
    105
    Best Answers:
    0
    Trophy Points:
    0
    #15
    I was about to click this link which was displayed as a friend's status on Yahoo Messenger. Thought it would be her picture ;) and I use IE :eek:
     
    Indian, Oct 12, 2006 IP
  16. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Harry, you use IE ? Firewall pe sabko FireFox use karne bolta tha !!! Haha ...

    Yes this affected a lot of people, I was surprised when I got the same PM from about 7 people! Thank your stars ... you're saved! Hehe
     
    -Abhishek-, Oct 12, 2006 IP
  17. Indian

    Indian Peon

    Messages:
    1,572
    Likes Received:
    105
    Best Answers:
    0
    Trophy Points:
    0
    #17
    I like Firefox but dunno...due to some reason I always click on the IE logo next to the start button. One thing I hate about FF is the tabs at the top...I am used to click multiple tabs at the bottom...Is there a way to bring those tabs below?
     
    Indian, Oct 12, 2006 IP
  18. -Abhishek-

    -Abhishek- Regaining my Momentum!

    Messages:
    2,109
    Likes Received:
    302
    Best Answers:
    0
    Trophy Points:
    0
    #18
    -Abhishek-, Oct 12, 2006 IP
  19. Indian

    Indian Peon

    Messages:
    1,572
    Likes Received:
    105
    Best Answers:
    0
    Trophy Points:
    0
    #19
    Problem solved. Thanx Bro ;)
     
    Indian, Oct 12, 2006 IP
  20. Nida G

    Nida G Peon

    Messages:
    110
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #20
    its also try to use our msn..but its not work correctly on it...but shit working on yahoo..I am also infected...thanks abheshak for solution...
     
    Nida G, Oct 13, 2006 IP