Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor:Win32/cycbot.b Trojan


  • Please log in to reply
4 replies to this topic

#1 williamx

williamx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 05 December 2010 - 07:18 PM

Now I just got this trojan last night on my laptop, so now im using another clean PC. I've spent the past 7 hours googling information on it after seeing the information about identity theft having to do with this trojan and having a panic attack...
It says it uses a IRC server for DCC. Now, if this trojan is using a IRC server to DCC your personal information, wouldn't disconnecting your infected PC from the internet stop the DCC and comprimise of your files. I turned my internet off within 1 minute of recieveing the notifican of this trojan. (And I plan to reformat the hardrive before ever connecting it back to the internet.) So I would think not very much information was transferred. Like the description says, it is usually the human himself or a bot, script running the trojan. So, my thoughts are, does the bot, or human know what files to look in for priority? Is it possible to have all your information downloaded to the other computer in under 1 minute throught the DCC on the internet? (my download speed is slower than a sloth.)So I would say once you are disconnected from the internet, bye bye to the DCC between you and the hacker's server of evil.
The reason I am so worried is because I did have a txt. file that had my name full name and SS# on it in a folder inside another folder, but it wasn't obvious that it was in there. So does the trojan know which files to download fast? And how fast can it download them? I went ahead and changed all my logins that I could think of. And am monitoring my online bank for any changes, so far so good, but who knows how long it takes for a snoopy Russian to decide what he's going to do with your personal information. And I say a snoopy russian because that's were this trojan originated, afterall, they are good at what they do. And just make sure, since it is a DCC I would assume the hacker can't download more files from your computer if you are not connected to the internet. So that's what I learned about this, any input from anyone? Trying to learn as much as possible about this since it has a great potential for a great deal of damage.

BC AdBot (Login to Remove)

 


#2 williamx

williamx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 06 December 2010 - 02:54 AM

well, I see no one has touched this topic yet. (sadface)
I have some more information on this as well.
I was looking through my security history reports under my Norton 360 anti-virus.
I reviewed most of the entries that were 'eye-catching.'
And this could be good news but I have the IP address of the attacker when they iniated the attack on my computer which was Sunday, Dec 5th 2010, at 8 PM.
Other information provided by the Norton security history of this incident included:
The attacker's URL.
Is there anyway I can report this person with this information (Attacker's IP Adress, & URL.) to have justice brought upon this, and possibly help out the rest of the people whom have been infected by this.
And I saw something in there about my firewall making new rules for Java Web start launcher, which seems to be when the problems begin to happen, so I believe that's how he got through in the first place, through Java.
It has this in there \Device\hardiskvolume1\program files\Java\JRE6Bin\Java.Exe
Some of the history explained to me what he was doing.
It looked like he was trying to start there in Java and from there gain access so he could get remote control of my computer, but I don't think he succededed in getting any important personal files due to my quick thinking.
I read entries in there like he was trying to change settings, but was blocked, and one entry explained that I had allowed him access to my network resources, which is I why I was alarmed. There was actually two names that appeared to have gained entry, so it looks like two attacks, and it says '2' in the numbers of people attacking. Which I am guessing is what the trojan did for him, as I would never willingly let anyone into my computer to do harm obviously.

Also entries of my IDS detection statiscal submission alerting me of the intrusion.
Statiscal submissions of:
conhost.exe (which I don't really understand because I was reading about it and it is supposed to be some helpful tool used for windows 7, but my OS is windows xp, and I never noticed any entries about it until my computer got infected, so I think in this case it was bad, but again I don't have a lot of information on this.)
And the other executable was trojan.maljava.
Much more obvious, you see it's a trojan, and it is linked to java. Which is where I was saying this started. I got this information about it on google.
Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more vulnerabilities.
So For now I think that is all the information I have about this. If anyone here can find some time to discuss this with me, and answer my questions, I would GREATLY appreciate it. Happy holidays to everyone.

#3 williamx

williamx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 06 December 2010 - 03:17 AM

While I'm asking, It doesn't really matter as I fixed it already a couple of months ago, but was always curious to what is was exactly cause I had no clue and am still puzzled as to what it was.
I was installing a new external hard drive to a CPU Tower I had with 3 slots for external hard drives. When I was doing all my windows updates, requiring internet connection, I don't believe I had any secuirty turned on at that time. Then I restarted to finish the installions and that's when the odd stuff begin to happen. The Hardrive wouldn't boot sometimes. So I pulled it out and put my old hard drive that I was using before. Then it started to have similar problems, even with the other believed to be infected hard drive pulled out. I'm not sure if it was coming from the my network. Or if it was somehow installed into my BIOS or computer hardware itself, other than the hard drive, I thought it was the CMOS memory but read something on google saying this wasn't possible. The final symptom I had was when I put the first hard drive I talked about back into the CPU tower and turned it on. Immediatlely it brought me to the BIOS screen asking me for a password. But I never had put in a password for BIOS, and could not get past this screen to login into my computer as the BIOS requesting a password wouldn't allow me. I ended up having to go in and reset the BIOS myself, which you can read about on google, simple job just a hassle to get back there. After that I installed a fresh new hard drive without putting any of the infected ones in. And just did the windows updates as fast as I could while I was vulnreable until I got my firewall installed. Haven't had any problems since, and i still don't have any idea what it was that happened exactly, or how it traveled to my hard drives without traveling from one hard drive to the other.
If anyone knows information on this, please let me know, it would be interesting to hear about.
Thank you.

#4 williamx

williamx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 06 December 2010 - 10:16 AM

I was thinking, if the trojan got access to my network, why didn't it attack the other computers on the network. I have a High tech motorola router which are pretty expensive but got it free for fixing a friend's TV. It has it's own security system, and the password is usually the number on the bottom of the router itself. So I don't think you can change the password, is it possible that whoever got into my network can still access the other computers with the password, even though they have no viruses or signs of tampering with, I did full system scans on all of them. Does the trojan itself need to be download to each computer in order for it to get control of the network?

#5 williamx

williamx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 December 2010 - 03:10 AM

Well, been monitoring everything for a couple of days, everything seems to be fine!
If anyone wants to report cyber incidents like these, there is a website that will direct your complaint to the appropriate authorities. It's called www.Isee3.gov.
And ending this thread I would just like to say thank you for no one helping here. Have a good day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users