Page 1 of 1

recent trojaned urls

Posted: Mon Apr 05, 2004 1:36 pm
by munky
just a warning for all IE users out there
there are some exploits going around that use an unpatched IE vulnerability. do not visit websites with the following in the URL:
*brasky.com* *ilwig.net/rofl.swf* *sillyu.afraid.org* *preview.ampuh.info* *just4fun.afraid.org* *nowim.4t3.com* *goten007.cjb.net*

one claimed workaround is the following regedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}]
"Compatibility Flags"=dword:00000400

as for right now, i don't know the current recommended method for fixing/removing the worm

Posted: Mon Apr 05, 2004 2:42 pm
by munky
from Rats:
its in remotes in mirc, and you delete dllhost32.exe in safemode.
dllhost32.exe is a fake bin, the real one is dllhost.exe, and you delete 2 strings in regedit wich shows dllhost32.exe "as" the real one and then you are done
if anyone has any other firsthand experiences removing this, i'd love to hear them

Posted: Mon Apr 05, 2004 3:41 pm
by munky
i was just linked to this:
http://rentalforums.nuclearfallout.net/ ... php?t=1040

another set of instructions for removal.
NOTE: i have not tested these personally, so be wary of the linked exe (ie - it's not my fault if it's another virus)

Posted: Tue Apr 06, 2004 2:29 pm
by munky
add *profweekday.com/pong* and *dzacc.com/~mike/funny/kongfu.swf* to the list of bad URLs

and *goon4hire.com/winrg.swf*, *djean.com/pingpong.swf*, *mikenoels.net/matrix.swf*