Yahoo Messenger - password senders
Last Updated: Jul 01 2005 10:30, Started by
denis.m
, Jun 27 2005 14:28
·
0
#1
Posted 27 June 2005 - 14:28
se pare ca messengerul meu trimite mesaje la prietenii mei din lista (si probabil nu numai) mesaje cu numele computerului meu, IP-ul, username-ul si PAROLA pe care o folosesc la messenger si implicit e-mail
la sfarsitul mesajului este specificat "brought to you by silenthack.com". am vizitat pagina si se pare ca respectivul distribuie programe care trimit parola cu care te loghezi pe YM - foarte creativ! mai e cineva in aceeasi situatie? am scanat calculatorul dar nu gasesc nimic nici cu antivirus nici cu ad-aware nici cu spybot sunt curios cum am putut fi infectat - nu are acces nimeni la PC si nu downloadez nimic in afara de jpeg-uri si filme |
#2
Posted 27 June 2005 - 14:44
... e destul de putin cunoscut.
posteaza un log de HiJackThis si incerc sa te ajut. Edited by PreTXT, 27 June 2005 - 15:01. |
#3
Posted 27 June 2005 - 14:47
Mie mi se intampla sa fiu delogat de pe YM. Mesajul explicativ zice ca user-ul meu s-a logat pe YM de la alta masina.... (?)
Mentionez ca eu imi schimb parola de Yahoo saptamanal... |
#4
Posted 27 June 2005 - 14:51
pretxt nu cred ca avea rost sa pui link catre un program care le-ar da la multi idei. eu zic ca trebuia sa-i explici doar, sunt sigur ca sunt multi care se uita la topicul asta si o sa le vina ceva idei de hacking cand vad ce poate face programul ala.
Edited by se7enports, 27 June 2005 - 14:52. |
#5
Posted 27 June 2005 - 15:04
se7enports: hmm, nu-mi sta in fire sa postez link-uri catre malware dar in cazul asta este destul de evident de unde se poate obtine. Ideea era ca unii admini sa poata filtra request-urile catre site-ul respectiv. Personal, am raportat adresa la SurfControl si astept confirmarea si update-ul bazei de date.
anyway, tinand cont ca nu aducea prea multa valoare, am sters adresa thanks |
#6
Posted 27 June 2005 - 15:14
din cate am citit nu este detectat de nici un antivirus cunoscut, tousi ar fi bine sa posteze un log de HiJackThis. foarte putine informatii despre program si nu cred ca este un program nou.
|
#7
Posted 27 June 2005 - 15:24
voi pune un log cum ajung acasa
e posibil asa ceva? troian ascuns in .jpeg? " This is Y! Jacked FULL, it will work on all Yahoo! Messenger 6x versions and all the New 7x versions including the BETA. Y! Jacked, if you didn’t already know is the best password sender for Yahoo! Messenger around. It will work past firewall software and is currently undetected to the top antivirus software. It includes features such as a fake error, clear XP system restore points and more. Also includes a file binder so you can join ANY file (pictures, programs, anything) you want to your sender. When the sender is installed (opened) on somebody’s computer it will Email you their id and password each time they Login Yahoo! Messenger even if they don’t save their password! Even if they don’t have their password saved and they have Yahoo! Messenger opened at the time they open your sender you will still be emailed their Id and password INSTANTY." ( http://yprog.com/content.php?content.1 ) |
#9
Posted 27 June 2005 - 15:40
se poate ascunde orice in jpeg. se folosesc file binderi. si asta nu numai in jpeg ci in orice executabil de exemplu. e o tehnica pe care majoritatea creatorilor de troieni si virusi o folosesc. se poate ascunde un exe intr-un alt exe. atunci cand executi un program se executa si celalalt.
|
#10
Posted 28 June 2005 - 10:21
stiu asta, dar cum se activeaza daca este atajat la un jpeg?
|
|
#11
Posted 28 June 2005 - 10:24
Un exemplu ar fi vulnerabilitatea din produsele Microsoft gasita acu ceva vreme dar reparata intre timp.
Quote The vulnerability in caused due to a boundary error within the GDI+ JPEG Parsing component (Gdiplus.dll). This can be exploited to cause a buffer overflow by tricking a user into viewing a specially crafted JPEG image with any application using the vulnerable component for JPEG image processing. Successful exploitation allows execution of arbitrary code with the privileges of the user. Mai multe detalii aici |
#12
Posted 28 June 2005 - 10:53
se7enports, on Jun 27 2005, 16:40, said: se poate ascunde orice in jpeg. se folosesc file binderi. si asta nu numai in jpeg ci in orice executabil de exemplu. e o tehnica pe care majoritatea creatorilor de troieni si virusi o folosesc. se poate ascunde un exe intr-un alt exe. atunci cand executi un program se executa si celalalt. arunescu, on Jun 28 2005, 11:21, said: stiu asta, dar cum se activeaza daca este atajat la un jpeg? Pentru asta mai este nevoie de o componenta, numita extractor (este un executabil in sine) si o modificare in registry la file associations (era un virus proof-of-concept, Perrun , parca ...) Mai ramane si varianta cu vulnerabilitatea descrisa de horatzica, dar daca esti cu update-ul la zi atunci nu e o problema. http://www.kayodeok....irus_facts.html Edited by PreTXT, 28 June 2005 - 10:57. |
#13
Posted 29 June 2005 - 17:23
scuze de intarziere - iata logul hijack:
------------ Logfile of HiJackThis v1.99.1 Scan saved at 7:21:56 PM, on 6/29/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\User\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.42.228.6:80 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ? O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093619565359 O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - (no file) O23 - Service: Paremba - Creative Technology Ltd. - (no file) -------------------- |
#14
Posted 29 June 2005 - 17:38
In primul rand versiunea free de FlashGet e adware. Recomand sa-l dezinstalezi daca e free.
Apoi da fix la urmatoarele intrari: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file) <-- Always Remove O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - (no file) O23 - Service: Paremba - Creative Technology Ltd. - (no file) Posteaza apoi un nou log. Bafta! Later edit: intrarile in care apare FlashGet nu le scoate daca FlashGet-ul nu e free si nu l-ai dezinstalat. Edited by dorutoru, 29 June 2005 - 18:29. |
#15
Posted 29 June 2005 - 22:55
Dupa cum functioneaza cred s-ar putea sa modifice doar yahoo-ul. Daca il dezinstalezi si
apoi reinstalezi mai ai probleme? |
|
#16
Posted 30 June 2005 - 08:06
l-am reinstalat si da, iar a trimis datele. noroc ca am un prieten care mi-a spus - restul din lista probabil sau dat navala la contul de e-mail
dorutoru, multumesc de sfaturi, voi dezinstala flashget desi imi e simpatic daca scot "Paremba - Creative Technology" imi va mai functiona placa de sunet? |
#17
Posted 30 June 2005 - 08:34
Pana rezolvi problema poti folosi gaim sa vorbesti pe yahoo.
|
#18
Posted 30 June 2005 - 09:57
arunescu, on Jun 30 2005, 08:06, said: daca scot "Paremba - Creative Technology" imi va mai functiona placa de sunet? Din cate zice HiJackThis e doar o ramasita dintr-un serviciu care a mers candva la tine pe calculator. Insa, in cazul in care ti-ar face probleme cu placa dupa, sunt doua variante sa-l repornesti: -pornesti msconfig (Start-->Run-->scrii msconfig--> <Enter>) si de la services il activezi iar sau: -hijackthis face un backup in acelasi folder unde e instalat si daca vrei sa restaurezi ceva, pornesti HijackThis, alegi optiunea 'View the list of backups', selectezi ceea ce vrei si dai 'Restore' (varianta aceasta e valabila si cand din greseala ai sters ceva ce nu trebuia, conditia e sa mai ai backup-ul) Cat despre problema ta cu yahoo, e prima data cand aud de programul ala si in HijackThis nu vad nimic suspect... Ieri autorul a anuntat ca programul e detectabil, insa deocamdata nu stiu cu ce... Later Edit: Kaspersky se pare ca detecteaza "programelul". La fel si AntiVir. Se pare ca si Panda. Incearca sa vezi... Cred ca e vorba de asta: http://www.viruslist...a?virusid=82484 http://www.pandasoft...x?idvirus=73775 Bafta! Edited by dorutoru, 30 June 2005 - 10:21. |
Anunturi
Bun venit pe Forumul Softpedia!
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users