Hijackthis Log Xlc.exe
List of security applications targeted by Win32/Visal.B 00hoeav.com 0w.com 360rpt.ExE 360safe.ExE 360safebox.ExE 360tray.ExE 6.bat 6fnlpetp.exe 6x8be16.cmd BIOSREad.exe BdSurvey.exe CCenter.ExE CEmRep.ExE CMain.ExE CaVCmd.exe CaVCtx.exe CaVRep.exe CaVRid.exe CaVSCons.ExE CaVSubmit.ExE CavEmSrv.ExE CavMUd.ExE CavQ.ExE CavSn.ExE Logged Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/avast! Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site. Bifrost Network Behavior Bifrost uses a custom protocol to communicate with the GUI on the attacker's computer. check over here
Win32/Visal.B will then attempt to email the output files to an email address hardcoded in the malware. Download and run HijackThis To download and run HijackThis, follow the steps below: Click the Download button below to download HijackThis. Download HiJackThis Right-click HijackThis.exe icon, then click Run as Additional settings, such as setting a master password, are needed to help mitigate this risk. The downloaded executables are saved in the %systemroot% folder (e.g.
CTU analyzed the sample and was able to correlate these results with findings from other security researchers to determine the following files would be downloaded and installed on an infected computer. With these registry additions, Win32/Visal.B instructs Windows Explorer to not show hidden system files: Key Value Data HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2 HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden 0 HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 Table 7. Several functions may not work. None of these tools analyzed by CTU had the ability to exfiltrate data via the network.
Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. vb.vbs This is a VBScript file that is dropped and executed by the malware in an attempt to copy itself to all remote computers within WinNT://Workgroup. Bifrost Registry Behavior Bifrost makes the following registry changes: Key MD5 Value Data HKCU\Software\Bifrost klg [0x01] HKCU\Software\Bifrost plg1 [0xea]D[0xdc][0x02][0xa3]'[0xd7]_[0x11][0xad][0xb9][0x07][0xda][0xf2]5[0x03]*5[0x8e]X [0x1b][0x0e][0x11][0x94][0xd4][0xf9][0x12][0x1b][0x1a]Z[0xa4][0x81][0xfe]qh[0xa3][0xd4] [0xea][0xb4][0xa7])[0xb3]_[0xa4]>[0xa9]#[0x8a][0x85]i[0x01]u[0x9e][0x9b]O[0x1e][0x8b]sC [0x16]a[0xca][0xae][0x05][0xea]Iv[0xf7]5-[0xf3]!h[0x12]-[0x84][0x01]A[0x0f][0xf6]n[0x09]!b QY[0xe0][0xef]!([0xc5][0xf3],[0xce][0xf6]1Wju[0xc6]rU[0xd5][0xfd][0xe3][0x11][0xcf][0x02] *?[0xeb]\[0xdb][0xfe]\=[0xc8][0x0d]Sg[0xf7][0x88]'[0x09]k[0x98][0xf0]7[0xdd][0x00][0x93]B [0xa5]y>6[0x86][0xbe][0xb2][[0x99][0xd8]E[0x12][0x96]B[0xb7]a[0x11],[0xe7][0x18][0x95] [0xd1][0x97]&[0x05]D[0xba][0xe3][0xe1]s[0x99][0xed][0xee][0x1d][0xe9][0xe5]Dc[0xb3] [0xc3][0xfd][0x87]^[0x97]N[0xe8]8[0xe8][0xfe]P[0xd8][0xb1]R[0x89][0xf9]5d[0xb2]Du= [0x12][0xae][0xe8][0xb3][0xdb][0xeb][0xd0][0xa8][0xc5][0xef]?[0xd2][0xcb][0xa2]WsL [0xd8][0xc2]8#[0x82][0xd4][0x04][0xd1]90V[0xd5]!g[0x93][0x89]*[0xfe]D[0x8d][0xfd] [0xc3][0xce][0xef][0x8f]4[0xb1]([0xd9][0x0c]4)[0xce]Q^[0xe3]M4[0xfb][0xbe]t[0xcd]@6: [0xd8]j[0x8f]A Is there any free removal tool for worms to download.
Win32/Visal.A attempted to download its secondary payloads from an account named "iqreporters". Restored Font and size - please use normal Font and size Edited by miekiemoes, 04 September 2007 - 06:17 PM. A typical HTTP request would look like: GET /yahoophoto/ff.iq HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: members.multimania.co.uk Connection: Keep-Alive All of the requested URLs end with the .iq suffix. It's the only way we can give you sound advice.
Note that users cannot determine if an email link is safe simply by examining the link. A factor that may mitigate the threat in this instance is that the Bifrost GUI was not built to scale to handle a large number of infected computers. mobile security darlin Newbie Posts: 15 Re: Win32:VB-CWW [Wrm] URGENT « Reply #4 on: December 03, 2007, 05:57:43 PM » Sofia, for two nights I wasn't sleeping, I was fighting with Figure 2 shows an example of a Bifrost management GUI (Graphical User Interface) with an infected computer connected.
Visal Email Worm History The CTU has seen evidence that there was at least one earlier instance of this malware campaign. check my blog Site Changelog Community Forum Software by IP.Board Sign In Use Facebook Use Twitter Need an account? If feasible, disable AutoRun functionality according to the instructions in Microsoft Knowledge Base article KB967715, available here: http://support.microsoft.com/kb/967715 Limit user privileges. The solution did not resolve my issue.
If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will Trend MicroCheck Router Result See below the list of all Brand Models under . Yes No Thanks for your feedback. http://exomatik.net/hijackthis-log/hijackthis-log-aky.php logg.dat The log file Bifrost uses to store keystrokes collected by its keylogger capability.
Remediation Win32/Visal.B can significantly alter the security posture of a compromised system, even if the malware or the system is unsuccessful in downloading malware files from the Internet. Example of a registry addition intended to inhibit security software. In addition, the attacker using a mobile broadband connection may have caused his bandwidth to become saturated due to a potentially large number of infected hosts attempting to connect to the
If successful, then these tools could be prevented from contacting their update sites to receive updated signatures.
If the logged in user had administrator credentials for the domain, then these permissions could cause the malware to spread to every computer in the domain. Click Yes to create a default host file. Video Tutorial Rate this Solution Did this article help you? Close Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files View New Content SWI Forums Members Forums ListLogs More SpywareInfo Forum MD5 2bde56d8fb2df4438192fb46cd0cc9c9 SHA1 0ba8387faaf158379712f453a16596d2d1c9cfdc File Size 290816 bytes File Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Table 1.
Additionally, Win32/Visal.B may create copies of itself in various directories with the pattern " CV 2010.exe". This build of Bifrost did not utilize these rootkit capabilities. Figure 4. have a peek at these guys While that domain has been shut down, organizations with the ability to monitor their firewall logs can search for connection attempts to the IP address 18.104.22.168 on TCP/2003 to identify compromised
SMB, often known as "Windows Networking", provides shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. Verify links and attachments from trusted sources before opening them. Legal Policies and Privacy Sign inCancel You have been logged out. The solution did not provide detailed procedure.
Back to top #2 Adilia Adilia Member Full Member 2 posts Posted 05 September 2007 - 12:37 PM please help me!!!!!! No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your What was the problem with this solution? Registry additions made by the Bifrost malware.
Bifrost Process Behavior Bifrost supports various options and plugins for stealth, including rootkit capabilities. Sign In Use Facebook Use Twitter Use Windows Live Register now! Back to top #4 nasdaq nasdaq Forum Deity Global Moderator 49,124 posts Posted 09 September 2007 - 10:46 AM Hi,As previously requeted.Please read this article and follow the protocol.http://forums.spywar...showtopic=23382Then submit a Table 2 shows the attributes for the downloaded files and additional files installed by the malware.