recent trojaned urls

Post everything else here

Moderators: Website/Forum Admins, Other/Off Topic Moderators

User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

recent trojaned urls

Postby munky » Mon Apr 05, 2004 1:36 pm

just a warning for all IE users out there
there are some exploits going around that use an unpatched IE vulnerability. do not visit websites with the following in the URL:
*brasky.com* *ilwig.net/rofl.swf* *sillyu.afraid.org* *preview.ampuh.info* *just4fun.afraid.org* *nowim.4t3.com* *goten007.cjb.net*

one claimed workaround is the following regedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}]
"Compatibility Flags"=dword:00000400

as for right now, i don't know the current recommended method for fixing/removing the worm
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Mon Apr 05, 2004 2:42 pm

from Rats:
its in remotes in mirc, and you delete dllhost32.exe in safemode.
dllhost32.exe is a fake bin, the real one is dllhost.exe, and you delete 2 strings in regedit wich shows dllhost32.exe "as" the real one and then you are done
if anyone has any other firsthand experiences removing this, i'd love to hear them
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Mon Apr 05, 2004 3:41 pm

i was just linked to this:
http://rentalforums.nuclearfallout.net/ ... php?t=1040

another set of instructions for removal.
NOTE: i have not tested these personally, so be wary of the linked exe (ie - it's not my fault if it's another virus)
In God we trust,
Everyone else must have an X.509 certificate.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Tue Apr 06, 2004 2:29 pm

add *profweekday.com/pong* and *dzacc.com/~mike/funny/kongfu.swf* to the list of bad URLs

and *goon4hire.com/winrg.swf*, *djean.com/pingpong.swf*, *mikenoels.net/matrix.swf*
In God we trust,
Everyone else must have an X.509 certificate.

Who is online

Users browsing this forum: No registered users and 1 guest