SOME INFO IF YOUR DOCUMENTING THIS EXPLOIT
First off if you are still being infected by this or having problems first
- CLICK HERE -
They kept saying on the virus alerts about this problem LOW LEVEL .
i dont think its very low level to me
in the keylog.txt i found all my email and credit card account passwords as well as my home address and full info
basically everything you would need to clone a new me
.
there are a few things im still uncertain about, im almost positive this virus comes from kazaa, but then again the RPC DCOM problem is what first tipped most people off they had a problem.
The
RPC DCOM fault is all the attacker would need to execute code on your computer ( from what i hear ),
so basically all they need is your ip address then they connect to
port 135 somehow fault the rpc and get ahold of
CMD.EXE , this basically gives them a dos C:\ on your computer ( in laymans terms full access ) so from there all they need to do is find a service already present on your own computer to connect OUT, so then they connect your computer to the hackers computer, from what i have seen it looks like they use one or both of
WEDDAV.EXE or
TFTP.EXE ( both of these are legit services that may already be present on your computer) . Now with a connection open between the 2 computers they can now start sending and installing items on to your computer. So at this point ( or maybe they do this before they use webdav ? ) they send over
msconfig32.exe and this thing looks like its just there to hide your regedit and task manager so you cant see anything else they may install. Now they start installing keyloggers and and more trojans, then they start fortifying the trojans thru your ini files and your registry so when you find the trojans they can replicate.
In looking back thru my log files it seems this has to be the way it went because my system event logs show my svchost.exe ( rpc ) faulted at exactly 2:36 then in the keylogger started recording at exactly 2:36 also.. , the
svchost.exe faulted a few times after that but 2:36 august 1st was the very first time.
this was at 2:36 am august 1st
Faulting application svchost.exe, version 5.1.2600.0, faulting module svchost.exe, version 5.1.2600.0, fault address 0x000016c6.
then at exactly the same time as the keylogger stopped recording (6:46 pm), i got this error
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cp p. Please contact Microsoft Product Support Services to report this error.
that must have been when my computer crashed the first time..
then the next day i got the same errors, this time the first one and the second one were only 6 minutes in between errors. then 4 hours later i started getting only the second part of the (error)crash, this must have been after the system was compromised.
the keylogger only copied down stuff from the first crash. it wasnt restarted again after 6 pm august 1st even though my system crashed many times after this.
-sidenote , i am very carefull when downloading and quite informed with computers, im assuming this virus/hack came thru kazaa/lite but not attached to any files, it must have been thru a fault in kazaa not in a file itself, as i hadnt used it in quite a while and infact i had only ever downloaded pictures/videos/mp3's.
The timing of the rpc fault problem/exploit says to me that it wasnt initiated until very recently. thus my system couldnt have been compromised before lets say 3 days before the problem first appeared. that pretty well eliminates me from getting it from a file, but i did have kazaalite on in the same time frame.
if your interested in chipping in for a fund to hire a hitman to bump off bill gates send donations to
hitmanfund@paypal.com
haha just kidding..
RPC DOM EXPLOIT aka worm.spybot (documentation)
Linear Mode
