Jump to content
Bohemia Interactive Forums
Sign in to follow this  
Followers 0
Donnervogel

New irc worm

By Donnervogel, in OFFTOPIC

Recommended Posts

Donnervogel    0

Donnervogel
Posted

Ok there was a strange new worm on IRC tonite.

It spammed a picture into IRC with a adress like: "www.billard-cafe-friedberg.de/LAN_16.10.03/....jpg"

Everyone that clicked on it and had the german Windows Media Player (can only confirm with wmp 9) got infected.

Infected people were sometimes signed off in windows at least once.

It is a variant of the "W32.Spybot.Worm"

The solution found at Symantec homepage(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html) doesn't work.

One thing I could find is that it logs pretty much everything you type (even passwords!) to a file called "kl.dll" located in "/Windows/system32/" folder. (confirmed on w2k/probably winXP) and probably sends it to this address: "my-botnet.is-hacked.de"

Thanks to Killswitch, a friend of mine and some support from other OFPEC channel members we found a solution to remove the logging.

First deinstall Windows Media Player since the worm replaced the "wmplayer.exe" with a file with the same name but only ~51kb in size. (You can check if you're ifected this way)

Check if "wmplayer.exe" was removed.

Then the Worm created a identical file called "updreg.exe" (also ~51kb in size) in "/Windows/system32/" folder.

Now you have to remove the "updreg.exe" in that folder. Don't confuse it with "updreg.exe" in "/Windows/" base directory since that is part of a driver from Creative Labs.

Then head to the registry find this location: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Look for a key with reference to "updreg.exe". (NOTE: Check that it doens't point to /windows/updreg.exe)

Delete that key.

Then restart you computer.

After reboot head over to "/Windows/system32/" folder and remove the "updreg.dll" (which is identical to the "spybot.dll" that a normal spybot worm creates) and the "kl.dll"

Now the logging of you keystrokes should stop. Be sure to change all your important passwords now. Especially windows user password. Any IRC auth passwords and ICQ/other messenger passwords.

Be advised that any information you typed while infected may have been sent to the server I mentioned above.

I don't know if that is all. Be sure to let your updated antivirus check your files.

There also may be a backdoor isntalled with this worm. I don't know if it gets removed with this solution if there is one.

(it's 5 am here now, I didn't sleep. Sorry for if there is anything confusing in this post)

Share this post

Link to post
Share on other sites

GoOB    0

GoOB
Posted

Thank god I am not German, and thank god I can't get WMP to install on my system wink_o.gif

It's good that you posted this here though. These kinds of things can cause alot of havoc in a persons life.

Share this post

Link to post
Share on other sites

Supah    0

Supah
Posted

Dont click on every URL that gets pasted in an IRC Channel by just anyone?

Share this post

Link to post
Share on other sites

Donnervogel    0

Donnervogel
Posted
Dont use IE ;) or mIRC

Yeah Kege. Why not also "Don't use a computer" ?

Ah sorry I'm pretty pissed since I heard that yesterday maye 30 times and was awake from 6 am to 7am (next day).

I normally use mozilla but sometimes I activate IE as standart browser when wrtitng html for test reasons and since most internet users use IE.

Btw. There is a removal tool released by a guy called HSC. But it doesn't remove all files.

Share this post

Link to post
Share on other sites

der bastler    0

der bastler
Posted
I normally use mozilla but sometimes I activate IE as standart browser when wrtitng html for test reasons and since most internet users use IE.

HTML was supposed to be platform-independent...

biggrin_o.gif

(written with Konqueror)

Share this post

Link to post
Share on other sites

Donnervogel    0

Donnervogel
Posted
I normally use mozilla but sometimes I activate IE as standart browser when wrtitng html for test reasons and since most internet users use IE.

HTML was supposed to be platform-independent...

biggrin_o.gif

(written with Konqueror)

well it isn't ;) there not more to say than that.

Share this post

Link to post
Share on other sites

der bastler    0

der bastler
Posted
I normally use mozilla but sometimes I activate IE as standart browser when wrtitng html for test reasons and since most internet users use IE.

HTML was supposed to be platform-independent...

biggrin_o.gif

(written with Konqueror)

well it isn't ;) there not more to say than that.

Perhaps say http://www.w3c.org/MarkUp/

wink_o.gif

*duckandcover*

Share this post

Link to post
Share on other sites

FallenPaladin    0

FallenPaladin
Posted

I hate worms and virus programs!!!!  mad_o.gif

Two weeks ago I got myself a win32/hatane and lovesan virus. Had to format my harddisk. Lost all my stuff, pictures, savegames, my OFP ESL customface and so on. Now I found out that my Resistance CD is broken. ( wow_o.gif  WAAAAAAAAAAAAAAAAAAAAAHHHHHH!!!!!  crazy_o.gif  sad_o.gif  mad_o.gif )

Guess I`ll have to get my a new one and buy the collectors edition.

Does anyone know if I keep my old player ID with a new Resistance CD?

Share this post

Link to post
Share on other sites

eisa01    0

eisa01
Posted

I think the game id is calculated off your cd-key so you can use your old one to keep your ID (I think)

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing OFFTOPIC
×