Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"The Cardone Group" virus . . . please help


  • Please log in to reply
2 replies to this topic

#1 ut2k7

ut2k7

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 26 January 2005 - 11:07 PM

Hey all,

On Instant Messenger the other day, I very foolishly downloaded a screensaver on a buddy's away message that had a URL that was something like "www.thecardonegroup.screensaver." It was a virus, and it caused my instant messenger to put up the same away message. It also closes down the window that pops up whenever you push Ctrl+Alt+Delete. In addition, it got me booted off my school's internet service. I got an e-mail saying my computer had been found with a "virus related to the Gaobot, SDbot, or IRCbot." I looked on the internet, and haven't been able to find anything about this worm. I did go to the Cardone Group main website, and they claim to be an advertising firm based in Orlando(?) Does anyone know about this worm, and if how, what damage does it do and how do I get rid of it? Thanks.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 26 January 2005 - 11:55 PM

Create a directory on your hardrive, to save HijackThis.exe, called c:\hijackthis. This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Download the latest version, from here.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum. Do not fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.

#3 tweak

tweak

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 28 January 2005 - 12:22 PM

W32.IRCBot.B is a Backdoor Trojan Horse that connects to an IRC server and waits for commands from the hacker. This Trojan is a variant of W32.IRCBot and W32.IRCBot.Gen.

Note: It has been reported that W32.IRCBot.B may arrive in an email message about a fake program update for Norton AntiVirus. The sender, updates@symantec.com, is a spoofed email address. Symantec never sends unsolicited email; the attachment should be deleted.

The Trojan may arrive in an email with the following characteristics:

From: updates@symantec.com (spoofed email address)
Subject: Last Update.
Attachment: nav32.zip
Attachment Type: Zip file
Attachment Size: 15.5 Kbytes

NOTE: When the nav32.zip file is decompressed, it becomes an executable file named nav32.exe, which is 19Kb in length.

The Trojan is packed with UPX.


Also Known As: Win32.SdBot.18976 [CA], Troj/Ircbot-M [Sophos], Backdoor.IRCBot.gen [KAV], W32/Sdbot.worm.gen [McAfee]

Type: Trojan Horse
Infection Length: 19 Kbytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x


When W32.IRCBot.B is executed, it attempts to perform the following actions:

Inserts a copy of itself as %SYSTEM%\RPC<random>.exe.

where <random> is a random series of characters.

--------------------------------------------------------------------------------
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------


Adds the value:

"windowsupdate" = "RPC<random>.exe"

to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices


Attempts to connect to the IRC server, itc.ourmoney.pp.ruz, using TCP port 31337.


Attempts to join a predefined channel, using a random nickname, and waits for commands from the IRC server.


Commands include, but are not limited to:

Managing the installation of the Trojan
Controlling the IRC client on a compromised computer
Updating the installed Trojan
Sending the Trojan to other IRC channels
Downloading and executing files
Performing Denial of Service (DoS) attacks against a target, which the hacker defines
Uninstalling itself completely by removing the relevant registry entries
Terminating processes
Visiting Web sites



Removal instructions:


Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.IRCBot.B.
Delete the value that was added to the registry.


excerts from http://securityresponse.symantec.com/avcen...2.ircbot.b.html

for more information about removing Trojans, you might visit next web pages:
http://www.sophos.com/support/disinfection/trojan.html
http://www.pandasoftware.com/virus_info/en...s&idvirus=58358




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users