unknown spyware or something!!

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: browolf PostPosted: Tue Nov 29, 2005 9:09 pm    Post subject: unknown spyware or something!!
    ----
a strange popup was appearing on my pc. its just a blank window with the title wtl001 and appears in taskman as orthnapp.exe. I can kill it and it doesnt reappear for a while.

Have run processor explorer and active ports and established its connecting to the internet thru svchost. its connecting on ports numbered between 3803 - 3915 i've seen connections to 3 hosts so far:

38.115.150.106 = rotatorqueen.com
67.19.28.150 = hitsnapper.com
222.208.168.101 = www.vevol.com
38.115.150.2 = losangelesinformer.com


the file is running from C:\WINDOWS\system32\orthnapp.exe. it's a hidden file.

using the packet sniffer ethereal i managed to capture http get requests to
http://www.rotatorqueen.com/surf_bottom.php?id=1716

although the page reply is
Notice: Undefined variable: fID in /home/rotatorqueen/htdocs/surf_bottom.php on line 30
Member account is not active, terminating.

also

www.hitsnapper.com/pages/78011/ which redirects to http://newyorkinformer.com/ and
http://hotvivid.com/
http://jobqueen.com/

and probably a lot more extremely dubious looking portals.

...150.2 connects to philadephiainformer.com which doesnt seem to exist



seems to me i might have picked it up installing some random software. it's seems like some sort of self written program to generate ad revenue

isnt there places to send such things for inclusion into antispyware/virus programs?


later
===

i'd deleted the file but its come back somehow. tried creating a dummy read-only file with the same name. see how that goes.

even later
======

found an unknown shell execute hook using the advanced tools in microsoft antispyware. pointing to a file
C:\WINDOWS\system32\usbadpt32.dll

using Resource Hacker to open the dll i've found some interesting code:

Code:

GET %s H
00002A70  54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 25   TTP/1.1••Host: %
00002A80  73 0D 0A 52 61 6E 67 65 3A 20 62 79 74 65 73 3D   s••Range: bytes=
00002A90  30 2D 0D 0A 0D 0A 00 00 2F 00 00 00 2F 2F 00 00   0-••••••/•••//••
00002AA0  3C 2A 2A 57 49 54 43 48 45 52 59 46 49 4C 45 2A   <**WITCHERYFILE*
00002AB0  2A 3E 00 00 65 78 74 72 61 63 74 00 65 6E 64 00   *>••extract•end•
00002AC0  6C 6F 6F 70 00 00 00 00 6F 6E 63 65 00 00 00 00   loop••••once••••
00002AD0  61 6C 77 61 79 73 00 00 64 6F 77 6E 6C 6F 61 64   always••download
00002AE0  00 00 00 00 65 78 65 63 75 74 65 00 73 6C 65 65   ••••execute•slee
00002AF0  70 00 00 00 7B 31 31 41 43 44 42 31 33 2D 35 32   p•••{11ACDB13-52
00002B00  37 46 2D 34 37 31 33 2D 38 32 44 46 2D 34 46 42   7F-4713-82DF-4FB
00002B10  32 30 33 39 38 32 44 34 44 7D 00 00 65 6E 64 20   203982D4D}••end
00002B20  6C 6F 6F 70 00 00 00 00 23 23 77 69 74 63 68 65   loop••••##witche
00002B30  72 79 23 23 00 00 00 00 57 49 54 42 4C 4F 47 2E   ry##••••WITBLOG.
00002B40  4F 43 58 00 68 74 74 70 3A 2F 2F 77 69 74 63 68   OCX•http://witch
00002B50  65 72 79 2E 62 6C 6F 67 2E 63 68 69 6E 61 2E 61   ery.blog.china.a
00002B60  6C 69 62 61 62 61 2E 63 6F 6D 2F 00 3C 2A 2A 57   libaba.com/•<**W
00002B70  49 54 43 48 45 52 59 2A 2A 3E 00 00 4D 53 44 41   ITCHERY**>••MSDA
00002B80  54 47 52 50 53 2E 4F 43 58 00 00 00 68 74 74 70   TGRPS.OCX•••http
00002B90  00 00 00 00 57 49 54 43 48 45 52 59 2E 52 44 54   ••••WITCHERY.RDT
00002BA0  00 00 00 00 57 49 54 43 48 45 52 59 2E 42 4E 44   ••••WITCHERY.BND


alibaba.com is a site i was browsing at the weekend. it's like some giant portal wholesaler from china. the link to it alibaba was on an item on boingboing.com

symantec reports an alibaba spyware toolbar but i dont seem to have that. i do all my browsing in firfox so i dont see how i got infected. I know not to click on stuff. disabled the hook and rebooted and removed the file.

looking at the dll in filealyzer i've also found a ocx file which seems to contain a webpage.
c:\windows\system32\WITBLOG.OCX



the 3 files are contained in the following file:
www.antiphishing.org.uk/malware.zip

it's worth noting there's no documented connection between orthnapp.exe and the shell execute hook but it's mighty suspicious finding them both at the same time.



Networking/Security Forums -> Anonymity // Privacy // Spam


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group