Trojan / Spyware Connection made to 64.240.175.18 every time you use IE ANti-spyware Anti-virus wont detect it.

["Adonis.No.Spam" <adonis1 () videotron ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                             .---------------.
                            / NtWaK0 Advisory \
+---------------------------------------------------------------------------
.

:
Affected         : All windows system with IE with kernell32.cab installed
:
Type             : Connection made to 64.240.175.18 every time you use IE
:
Type             : Trojan / Spyware
:
Date             : 02-02-2002
:
Author           : NtWaK0 @ www.SafeHack.com
:
+---------------------------------------------------------------------------
.

+-----------------.
 Trojan / Spywere  \
+-------------------`-------------------------------------------------------
.

:
+-----------.                                  * * * www.SafeHack.com * * *
:
 Disclaimer  \
:
+-------------`-------------------------------------------------------------
.

:
This material is presented for informational and entertainment purposes
:
only, and to satisfy the curious. Any activities described in this file
:
which involve vandalism, theft, or any other illegal activities are
:
recounted from third-party conversations. I do not condone or encourage
:
vandalism or theft. I do not accept any liability for anything anyone
:
does with this information. So, don't shoot the messenger.
:
Remember: Use a computer in ways that ensure respect for your fellows.
:

:
+-------.
:
 T.O.C.  \
:
+---------`-----------------------------------------------------------------
.

:

:
   [  Brief History . . . . . . . . . . . . . . . . . . . . . .line 42 ]
:

:
   [  The Problem . . . . . . . . . . . . . . . . . . . . . . .line 47 ]
:

:
   [  The Solution . . . . . . . . . . . . . . . . . . . . . .line 128 ]
:

:
+-------------.
:
 Brief History \
:
+----------------`----------------------------------------------------------
.
A friend mentioned the other day that he is seeing a connection is being
:
made to 64.240.175.18 on port 8989, every time he use Internet Explorer.
:
See detail below.
:

:
+-----------.
:
 The Problem \
:
+-------------`-------------------------------------------------------------
.
After I did work on the issue for some time I found a sypware kernel32 on
:
his machine.
:

:
How did I find the spyware?
:
+--------------------------+
:
I did run a port monitor application and Lunched Internet Explore and went
:
to google.com, sure enough when IE connected to google I saw two connection
:
one to google and one to 64.240.175.18 on port 8989 when I saw that I hmmed
:

:
Next I opened again IE but I did not connect to any site. (blank page).
Sure:
enough No connection to any site.As soon as I connect to any site I will
see:
a connection to 64.240.175.18 on port 8989.
:

:
After mapping the port to application running on these ports, I found that
:
IE is using port 8989 that is normal since a connection was made
:
to 64.240.175.18
:

:
Since i need seen that IP befor I decided to investigate more this issue.
:

:
I tried to search the registry for 64.240.175.18 but I was not lucky.
:
I tried to search all file on the hard drive for a string 64.240.175.18 but
:
still no luck.
:

:

:
Next I jumped to a hardcore methode :) using regmonitor and file monitor.
:
After running Regmonitor and filemonitor I lunched IE and connected to
:
www.google.com. Now I have a big log to go over... I made another coffee
:
and sat down and stat looking into regmonior/filemonitor.
:

:
Something got my attension kernell32.dll reference.
:
HKCR\CLSID\{C7ADE150-743D-11D4-8141-00E029626F6A}\InprocServer32\(Default)
:
"C:\WINNT\Downloaded Program Files\kernell32.dll"                           :

:
I search for that file in C:\WINNT\Downloaded Program Files but did not
:
find it. I continued looking at the regmonitor log and found something else
:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
:
Browser Helper Objects\{C7ADE150-743D-11D4-8141-00E029626F6A}]
:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
:
Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}]
:

:
One of these key was used to lunch the trojan everytime you run IE.
:

:

:
At this point I run wget http://64.240.175.18/kernell32.cab
:
To my surprise the file was their So i got the file and loocked at it.
:
The kernell32.cab contain two files: kernell32.dll, kernell32.inf
:

:
Currently [2-2-2002] the file still exist on their site if you like to
:
grab it here is the url http://64.240.175.18/kernell32.cab
:

:
NOTE: The interresting issue is NORTON antivurs and the cleaner did not
:
delect any trojan in the kernell32.dll. But the file is acting like
:
Win32.Destiny trojan
:

:
If you search google for Win32.Destiny you will find the desciption
:
of Win32.destiny trojan. The same behavior apply to the file
:
located at http://64.240.175.18/kernell32.cab
:

:

:
[Extracted From
:
http://www.vet.com.au/html/zoo/local/zoo_descriptions/destiny.htm ]
:

:
Win32.Destiny
:

:
Win32.Destiny trojan is a Dynamic Link Library (DLL) usually called
:
"kernell32.dll". The use of this filename is probably an attempt to hide
the:
trojan, as users may confuse it with the Windows system file "kernel32.dll"
:

:
kernell32.dll c'est le PUTAIN de fichier qui'il telecarge
:

:
The trojan registers itself as a "Browser Helper Object", a DLL which
:
attaches itself to every instance of Internet Explorer. Because of this,
:
 the trojan is loaded whenever a new Internet Explorer session is started.
:

:
The trojan connects to a machine on the internet on port 8989 and sends
:
some information about the local system, including the IP address and the
:
user's e-mail address. It also changes the following Internet Explorer
:
security settings for the "Internet Zone":
:

:
+------------.
:
 The Solution \
:
+--------------`------------------------------------------------------------
.
Someone must contact the administrator of the site 64.240.175.18 and tell
:
him/her to rm the kernell32.cab of his/her site.
:

:
Second you can apply these suggestions:
:

:
[Extracted From www.vet.com.au ]
:
Download signed ActiveX controls: Prompt.
:
Download unsigned ActiveX controls: Disable.
:
Run ActiveX controls and plugins: Enable.
:
Initialize and script ActiveX controls not marked as safe: Disable.
:
Script ActiveX controls marked safe for scripting: Enable
:
+---------------------------------------------------------------------------
.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPF/XJfPoW9fFNsN8EQJJmACePMAmOe7P4UEHUD3P7Nzbcgyf0gMAn0j0
Uq0kFGNuCUnvRjJzJDdxeRHw
=1lr1
-----END PGP SIGNATURE-----

________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good  www.SafeHack.com                         |
Je Pense, Donc Je Suis                                    \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :)    --(")--
RFCs are meant to be read and followed…:)                  /`\  NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow     -=-