Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to detect DwighLight stealer?


  • Please log in to reply
No replies to this topic

#1 kanenas

kanenas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 14 June 2011 - 03:40 PM

Hello.

I did a scan with MalwareBytes Anti-Malware and it came up with a homepage.txt in c:\Windows\SysWOW64 (the system is Win7 Ultimate x64).
It also found the same file in d:\Windows\system32 (that's another partition with XP SP3 on it).
The Win7 file is 6 months old and the XP one about two years old.

Because of this, I'm not sure if the stealer is still around or has already been deleted by some antivirus scan.
I don't seem to experience any problems but that means nothing.

The files are formatted so (the Win7 one):

=====================================
============ DwighLight ============
=====================================


=====================================
====== Windows Live Messenger =======
=====================================


=====================================
ΙωyΙωyΙ1μ+Ÿ%Σ+ΔdΙωyΙωyΙ
=====================================



===================

The XP file is similar but has 4-5 more entries in it.

Looking around, I came across a few references to this stealer that claimed it was undetectable (at least at that time).
e.g.
w w w.elitehackerz.net/ehz-toolbox/1121-dwighlightstealer-2-0-full-undetected.html
w w w.hackforums.net/archive/index.php/thread-83513.html
w w w.forum-maximus.net/viewtopic.php?f=25&t=155193

Not sure if the 3rd entry refers to the same stealer.

Anyway, assuming this thing is still around, how can I detect it?

HijackThis, GMER, and a couple of antivirus products didn't come up with anything.

Thanks in advance.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users