Browser hijack -- Internet Scams

[ Show ]

Support VoyForums

[ Shrink ]

VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

[ Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, [3], 4 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 22:45:33 06/10/04 Thu
Author: Repost
Subject: Browser hijack

Well, it won't matter to some if every registrar in the world
cancels their sites except their trojan partner who installs
a "hosts" file resolving (at the moment about 700) client sites
(e.g. www.spybot.info will, if you get infected, be resolved to
IP address 198.65.164.170)

for them. It also hijacks your browser sending ALL your connections
through verio/splitinfinity (if it misses some it makes a special
effort to redirect all your internet favourites in IE).

Of course the spam, offering child pornography, also used a trojan
installer to install a modem dialer and ... more.

Sheesh ...

(and I accidentally deleted the whole shebang and had to use the
raw data in the sectors of the hard drive to put it back together
- just to add another couple of hours to this trash ...)

[RECENT NANAS POSTING: [email] [child pornography?]: [blank subject]]

[extract from the NANAS posting:]
---------------------------------

Spamvertized URL: http://www.dark-collection.{net,org}
at IP addresses 63.251.83.54, 63.251.163.112, 64.74.96.249,
212.118.243.114,and 216.52.184.239 all of which are on internap/enom

This is a redirector to the:

Spamvertized SITE [OLD]: http://sacura.sexbrides.com/
at IP address 66.79.168.183 on managed.com

NOTE: THAT SITE WAS JUST TAKEN DOWN.
http://www.dark-collection.{net,org}
NOW REDIRECTS TO THE:

Spamvertized SITE [NEW]: http://sacura.pornlevel.com/
at IP address 168.143.118.147

This sends you on (to pay for the offered child pornography(?)
to the billing partner:

Spamvertized SALE SITE: https://www.e-gold.com/sci_asp/payments.asp
(with data POSTed which includes PAYEE_ACCOUNT=1285286, PAYEE_NAME=DARK,
STATUS_URL=mailto:virginz_acc@yahoo.com)

Besides the porn offer and sale site ... there are:
----------------------------
Trojan loaders up the wazoo.
----------------------------

IF you send the proper referrer (http://www.dark-collection.net
for example) the page has a little extra. A JavaScript section
(mildly encoded/encrypted). You may only get this with the
"proper" User-Agent and OS as well (I did not see it using
Mozilla/Linux but did when manually setting the User-Agent
to claim I was using IE on Windows).

The spamvertized sites (OLD/NEW) use various exploits to
install trojans. Trojans to prevent registrars from effectively
cancelling spammer's domains (one writes a "hosts" file resolving
its clients' sites to its redirector). Trojans to hijack every
one of your Favourite shortcuts (and send you through a tracker/redirector).
Trojans to hijack all of your web browsing and send you through a
redirector (by writing the registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www", "ehttp.cc?")
Trojan to install child pornography(?) modem hijacking porn dialer.
Trojan to install a new search engine page. Etc.
You will probably lose Windows Media Player as some of the trojan loaders
overwrite it and open an "mms://" URL to run a loader.

Spamvertized TROJAN LOADER SITE: http://happy-new-year.biz/in1526.php
which makes a determined effort (*CHM exploit, ActiveX/vbScript, Java, VBS/Petch.A)
to get and run http://happy-new-year.biz/i.exe or http://happy-new-year.biz/inst.exe
which appears to be (I am not running Windows and would not run
it to see what it does anyway) an installer of a trojan from
http://81.211.105.24/tbar.exe http://81.211.105.24/asd3.dll http://81.211.105.24/atl.dll
which includes strings to access the sites
http://best-search.info/go.php?qq= and http://search-smart.info/go.php?qq=
http://best-result.info/go.php?qq= and http://super-finder.info/go.php?qq=
while the Q250204.exe file created by one of the attempts loads
http://www.nkvd.us/s.htm
(the question is - besides a browser hijacking trojan and destroying/overwriting
windows media player, what else does this trojan do?)
ALL of which (except for www.nkvd.us which is at IP address 81.211.105.25)
are at IP address 81.211.105.24 on gldn.net,sovam.comm,sovintel/"ilca.ru"
(actually, it appears that this is hidden behind some type of packet
forwarding to protect the true location?)

If you send the proper referrer, the page (OLD spamvertized URL)
has another internal frame with ANOTHER:

Spamvertized TROJAN LOADER SITE: http://d.dialer2004.com/?cyberfreehost
which uses the MS-IT/*.CHM exploit, again, combined with,
if necessary, a Java exploit to install
http://d.dialer2004.com/g?cyberfreehost&d2kndr.exe and
http://d.dialer2004.com/real1/2.avi?1235 (which is an executable,
NOT an avi file) (and which references download.tibsystems.com and
www.dialeradmin.com.
This trojan loader (d.dialer2004.com) is at IP address 69.42.81.52 on webair.com.

The spamvertized SITE (NEW site) has an encoded/encrypted Javascript
[object] tag to run the:

Spamvertized TROJAN LOADER: http://nuporn.com/counter/level.php
at IP address 63.215.141.196 on Level3.

which hijacks all your favourites and web browsing and writes a
host file (protecting spammer clients from registrars cancelling
their domains, I guess - or just hijacking other spammer's operations?)
sending you from now on through the:

HIJACKING SITE: at IP ADDRESSES: 198.65.164.168, 198.65.164.170 and 198.65.164.171
on Verio/splitinfinity.

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Replies:

Re: Browser hijack -- Repost, 23:20:47 06/23/04 Wed

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums^(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.