|
|
- !!! Trojan horse WARNING !!! - some AW cits do not know better than to spread trojans (Community)
- !!! Trojan horse WARNING !!! - some AW cits do not know better than to spread trojans // Community
Jul 21, 2003, 4:43pm
If you get a telegram like this:
"Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
My friend has made a cool little program for AW and it would mean a lot to
me if you helped him out and downloaded it and told me and him what you
think: www . twisted-inc . com / awtoolkit . exe "
(URL without blanks).
do NOT download and run the program.
How it installs on your system:
awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
creates at least 3 registry entries, which call the program whenever you
logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
c:\%win_root%\system32\msrksd.com, which is also called when you logon to
windows or start IE. A third copy is made and copied to
c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show you
this process once its running.
All instances are UPX compressed files. Norton does NOT recognize the
trojan!
What it does:
1) It runs an IRC server on port 6666
2) It connects to ICQ using remote port 80
3) It tries to connect to hotmail.com to send off an email, using remote
port 25
I did not analyse the data it would try to send, though, as in- and outgoing
connections were blocked when I analysed it. It looks like the trojan is
even able to capture your screen.
In case one of you already got infected, please contact ActiveWorlds for
removal instructions.
Jul 21, 2003, 4:56pm
If you actually look at my post, you wouldnt need to post another topic..
Jul 21, 2003, 5:07pm
I acedenly downloaded a file from this server, it was a BIG mistake. my cit
was hacked, I could no longer log onto aw, then all of my cofiguration files
were eraced including my system config, to make a long story short I had to
format my computer.
Please do not click on any urls in tgrams that have been sent by me in the
last 2 days, or file requests. The post I posted to the NG about utilities
to the best of my knowledge dose not have any viruses or spyware on them.
I am very sorry for this if anyone has received any urls or links by me in
the last 2 days that have been infected.
[View Quote]"chrispeg" <chrispeg at gmx.net> wrote in message
news:3f1c3439 at server1.Activeworlds.com...
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
>
> do NOT download and run the program.
>
>
> How it installs on your system:
>
> awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
> creates at least 3 registry entries, which call the program whenever you
> logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
> c:\%win_root%\system32\msrksd.com, which is also called when you logon to
> windows or start IE. A third copy is made and copied to
> c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show
you
> this process once its running.
>
> All instances are UPX compressed files. Norton does NOT recognize the
> trojan!
>
>
> What it does:
>
> 1) It runs an IRC server on port 6666
> 2) It connects to ICQ using remote port 80
> 3) It tries to connect to hotmail.com to send off an email, using remote
> port 25
>
> I did not analyse the data it would try to send, though, as in- and
outgoing
> connections were blocked when I analysed it. It looks like the trojan is
> even able to capture your screen.
>
> In case one of you already got infected, please contact ActiveWorlds for
> removal instructions.
>
>
>
|
Jul 21, 2003, 5:46pm
chrispeg, report it to Norton.
--
Brock - 308723 - DE Leader
[View Quote]"chrispeg" <chrispeg at gmx.net> wrote in message
news:3f1c3439 at server1.Activeworlds.com...
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
>
> do NOT download and run the program.
>
>
> How it installs on your system:
>
> awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
> creates at least 3 registry entries, which call the program whenever you
> logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
> c:\%win_root%\system32\msrksd.com, which is also called when you logon to
> windows or start IE. A third copy is made and copied to
> c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show
you
> this process once its running.
>
> All instances are UPX compressed files. Norton does NOT recognize the
> trojan!
>
>
> What it does:
>
> 1) It runs an IRC server on port 6666
> 2) It connects to ICQ using remote port 80
> 3) It tries to connect to hotmail.com to send off an email, using remote
> port 25
>
> I did not analyse the data it would try to send, though, as in- and
outgoing
> connections were blocked when I analysed it. It looks like the trojan is
> even able to capture your screen.
>
> In case one of you already got infected, please contact ActiveWorlds for
> removal instructions.
>
>
>
|
Jul 21, 2003, 6:02pm
wait i accidentally clicked it hwo do i egt rid of it!!!!
[View Quote]"brock" <BrockL at iceflare.net> wrote in message
news:3f1c42fe$1 at server1.Activeworlds.com...
> chrispeg, report it to Norton.
>
> --
> Brock - 308723 - DE Leader
> "chrispeg" <chrispeg at gmx.net> wrote in message
> news:3f1c3439 at server1.Activeworlds.com...
to
to
to
> you
> outgoing
>
>
|
Jul 21, 2003, 6:04pm
rofl read what it does, and delete whats in msangent thing heh
Jul 21, 2003, 6:09pm
That is not enough, themask.
Please contact AW for removal instruction.
"themask" <admin at themask.3dhost.net> schrieb im Newsbeitrag
news:3f1c4764 at server1.Activeworlds.com...
> rofl read what it does, and delete whats in msangent thing heh
>
>
Jul 21, 2003, 6:10pm
Okay, I reported it to Norton.
btw: how are you brock ?
"brock" <BrockL at iceflare.net> schrieb im Newsbeitrag
news:3f1c42fe$1 at server1.Activeworlds.com...
> chrispeg, report it to Norton.
>
> --
> Brock - 308723 - DE Leader
[View Quote]> "chrispeg" <chrispeg at gmx.net> wrote in message
> news:3f1c3439 at server1.Activeworlds.com...
to
to
to
> you
> outgoing
>
>
|
Jul 21, 2003, 6:40pm
Eh, and you think AW would know? I'd rather see what Norton gets.
Jul 21, 2003, 7:01pm
[View Quote]chrispeg wrote:
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
|
It's funny how everyone runs this. Even people who should know better
run it.
--
--Bowen--
No of SETI units returned: 41
Processing time: 31 days, 9 hours.
(Total hours: 753)
www.setiathome.ssl.berkeley.edu
Jul 21, 2003, 7:06pm
Good chris, good, long time no see.
--
Brock - 308723 - DE Leader
[View Quote]"chrispeg" <chrispeg at gmx.net> wrote in message
news:3f1c48c0 at server1.Activeworlds.com...
> Okay, I reported it to Norton.
>
> btw: how are you brock ?
>
>
> "brock" <BrockL at iceflare.net> schrieb im Newsbeitrag
> news:3f1c42fe$1 at server1.Activeworlds.com...
lot
> to
you
It
you
> to
> to
show
remote
is
for
>
>
|
Jul 21, 2003, 7:14pm
Can this thing do any damage if you're not under an Administrator account?
Ryan
[View Quote]chrispeg wrote:
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
>
> do NOT download and run the program.
>
>
> How it installs on your system:
>
> awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
> creates at least 3 registry entries, which call the program whenever you
> logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
> c:\%win_root%\system32\msrksd.com, which is also called when you logon to
> windows or start IE. A third copy is made and copied to
> c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show you
> this process once its running.
>
> All instances are UPX compressed files. Norton does NOT recognize the
> trojan!
>
>
> What it does:
>
> 1) It runs an IRC server on port 6666
> 2) It connects to ICQ using remote port 80
> 3) It tries to connect to hotmail.com to send off an email, using remote
> port 25
>
> I did not analyse the data it would try to send, though, as in- and outgoing
> connections were blocked when I analysed it. It looks like the trojan is
> even able to capture your screen.
>
> In case one of you already got infected, please contact ActiveWorlds for
> removal instructions.
>
>
>
|
Jul 21, 2003, 7:27pm
What are the names of the registry entries?
[View Quote]"chrispeg" <chrispeg at gmx.net> wrote in message
news:3f1c3439 at server1.Activeworlds.com...
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
>
> do NOT download and run the program.
>
>
> How it installs on your system:
>
> awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
> creates at least 3 registry entries, which call the program whenever you
> logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
> c:\%win_root%\system32\msrksd.com, which is also called when you logon to
> windows or start IE. A third copy is made and copied to
> c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show
you
> this process once its running.
>
> All instances are UPX compressed files. Norton does NOT recognize the
> trojan!
>
>
> What it does:
>
> 1) It runs an IRC server on port 6666
> 2) It connects to ICQ using remote port 80
> 3) It tries to connect to hotmail.com to send off an email, using remote
> port 25
>
> I did not analyse the data it would try to send, though, as in- and
outgoing
> connections were blocked when I analysed it. It looks like the trojan is
> even able to capture your screen.
>
> In case one of you already got infected, please contact ActiveWorlds for
> removal instructions.
>
>
>
|
Jul 21, 2003, 7:32pm
BTW, will deleting all of the files get rid of it sufficiently, or shoudl I
delete the registry entries too?
[View Quote]"chrispeg" <chrispeg at gmx.net> wrote in message
news:3f1c3439 at server1.Activeworlds.com...
> If you get a telegram like this:
>
> "Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
> My friend has made a cool little program for AW and it would mean a lot to
> me if you helped him out and downloaded it and told me and him what you
> think: www . twisted-inc . com / awtoolkit . exe "
> (URL without blanks).
>
> do NOT download and run the program.
>
>
> How it installs on your system:
>
> awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
> creates at least 3 registry entries, which call the program whenever you
> logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
> c:\%win_root%\system32\msrksd.com, which is also called when you logon to
> windows or start IE. A third copy is made and copied to
> c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show
you
> this process once its running.
>
> All instances are UPX compressed files. Norton does NOT recognize the
> trojan!
>
>
> What it does:
>
> 1) It runs an IRC server on port 6666
> 2) It connects to ICQ using remote port 80
> 3) It tries to connect to hotmail.com to send off an email, using remote
> port 25
>
> I did not analyse the data it would try to send, though, as in- and
outgoing
> connections were blocked when I analysed it. It looks like the trojan is
> even able to capture your screen.
>
> In case one of you already got infected, please contact ActiveWorlds for
> removal instructions.
>
>
>
|
Jul 21, 2003, 7:42pm
You just delete all the files and registry entries, right?
[View Quote]"themask" <admin at themask.3dhost.net> wrote in message
news:3f1c4fc1$1 at server1.Activeworlds.com...
> Eh, and you think AW would know? I'd rather see what Norton gets.
>
>
|
Jul 21, 2003, 8:00pm
yeah, and I got the links in the telegram. Unfortuanetely your warning came
too late. Luckily I didn't lose my cit. Thanks anyway. Its no problem, its
not your fault.
[View Quote]"pineriver" <pineriver at thenett.com> wrote in message
news:3f1c39d6 at server1.Activeworlds.com...
> I acedenly downloaded a file from this server, it was a BIG mistake. my
cit
> was hacked, I could no longer log onto aw, then all of my cofiguration
files
> were eraced including my system config, to make a long story short I had
to
> format my computer.
> Please do not click on any urls in tgrams that have been sent by me in the
> last 2 days, or file requests. The post I posted to the NG about utilities
> to the best of my knowledge dose not have any viruses or spyware on them.
> I am very sorry for this if anyone has received any urls or links by me in
> the last 2 days that have been infected.
>
>
> "chrispeg" <chrispeg at gmx.net> wrote in message
> news:3f1c3439 at server1.Activeworlds.com...
to
to
to
> you
> outgoing
>
>
|
Jul 21, 2003, 8:01pm
rofl, I got it from matt through pineriver's cit. I clicked on it stupidly
because I trust pineriver, and didn't know the cit was stolen :-P sucks for
me
[View Quote]"bowen" <Bowen at andras.net> wrote in message
news:3f1c5497$1 at server1.Activeworlds.com...
> chrispeg wrote:
to
>
> It's funny how everyone runs this. Even people who should know better
> run it.
>
> --
> --Bowen--
>
> No of SETI units returned: 41
> Processing time: 31 days, 9 hours.
> (Total hours: 753)
> www.setiathome.ssl.berkeley.edu
>
|
Jul 21, 2003, 8:01pm
Id just like to know what kind of tool kit would be in around 50kb exe or
what installation comes in a 50kb exe?
Jul 21, 2003, 8:50pm
[View Quote]r i c h a r d wrote:
> Id just like to know what kind of tool kit would be in around 50kb exe or what installation comes in a 50kb exe?
|
The executable was compressed with UPX, so it was probably originally larger than 50kb.
--
-Agent1
Jul 22, 2003, 1:36pm
my cit is hacked and guess who told me? OneSummer that hacker and now I cant
get on AW...
[View Quote]"pineriver" <pineriver at thenett.com> wrote in message
news:3f1c39d6 at server1.Activeworlds.com...
> I acedenly downloaded a file from this server, it was a BIG mistake. my
cit
> was hacked, I could no longer log onto aw, then all of my cofiguration
files
> were eraced including my system config, to make a long story short I had
to
> format my computer.
> Please do not click on any urls in tgrams that have been sent by me in the
> last 2 days, or file requests. The post I posted to the NG about utilities
> to the best of my knowledge dose not have any viruses or spyware on them.
> I am very sorry for this if anyone has received any urls or links by me in
> the last 2 days that have been infected.
>
>
> "chrispeg" <chrispeg at gmx.net> wrote in message
> news:3f1c3439 at server1.Activeworlds.com...
to
to
to
> you
> outgoing
>
>
|
Jul 22, 2003, 1:42pm
OneSummer is NOT a hacker....sheeesh.....
[View Quote]"calhoun" <coen at charter.net> wrote in message news:3f1d59f5 at server1.Activeworlds.com...
> my cit is hacked and guess who told me? OneSummer that hacker and now I cant
> get on AW...
> "pineriver" <pineriver at thenett.com> wrote in message
> news:3f1c39d6 at server1.Activeworlds.com...
> cit
> files
> to
> to
> to
> to
>
>
|
Jul 22, 2003, 1:43pm
Its a bunch of punks on AWTeen doing it...They steal your cit then use it to
telegram your friends with the link
[View Quote]"calhoun" <coen at charter.net> wrote in message
news:3f1d59f5 at server1.Activeworlds.com...
> my cit is hacked and guess who told me? OneSummer that hacker and now I
cant
> get on AW...
> "pineriver" <pineriver at thenett.com> wrote in message
> news:3f1c39d6 at server1.Activeworlds.com...
> cit
> files
> to
the
utilities
them.
in
lot
> to
you
It
you
> to
> to
show
remote
is
for
>
>
|
Jul 22, 2003, 3:15pm
Trust me, OneSummer is *not* a hacker, cracker, or script kiddie. She is
always hosting community events and I host two bots for her in BluPearl
world. If she sent you a telegram, it was probably to warn you *not* to
click on a link or something. She's been a target of various "trouble
makers" (had to use your word, BinaryBud ;) in the past and hardly ever
is the cause of such problems. Another possibility is that she herself
clicked on the bot link and her account password was stolen and someone
else sent the telegram to you under her name.
Builderz
http://www.3dhost.net
[View Quote]calhoun wrote:
>
> my cit is hacked and guess who told me? OneSummer that hacker and now I cant
> get on AW...
|
Jul 22, 2003, 3:53pm
confirmation the last scenario is correct. Everyone Be Careful.
On the net, it's NOT always who you think it is.
Leo
[View Quote]"builderz" <builderz at vastnexus.com> wrote in message news:3F1D6FB1.8E8683B1 at vastnexus.com...
> Trust me, OneSummer is *not* a hacker, cracker, or script kiddie. She is
> always hosting community events and I host two bots for her in BluPearl
> world. If she sent you a telegram, it was probably to warn you *not* to
> click on a link or something. She's been a target of various "trouble
> makers" (had to use your word, BinaryBud ;) in the past and hardly ever
> is the cause of such problems. Another possibility is that she herself
> clicked on the bot link and her account password was stolen and someone
> else sent the telegram to you under her name.
>
> Builderz
> http://www.3dhost.net
>
> calhoun wrote:
|
Jul 22, 2003, 6:19pm
But my name is Bill Gates, and I own you all...
|
