Comments on: More malware by the Virut-gang http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/ About malware, packers and reverse engineering Fri, 21 Nov 2008 02:25:56 +0000 http://wordpress.org/?v=2.2.3 By: toni http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-245 toni Tue, 04 Sep 2007 05:03:05 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-245 Sorry, but no. It's just a small IRC bot that tracks the botnet itself. If you know which thread inside winlogon.exe is the one with infection you could download Process Explorer from SysInternals and snuff the particular thread with it. Otherwise I suggest some kind of online virus scan or several of them. Process Explorer can be found from http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx Sorry, but no. It’s just a small IRC bot that tracks the botnet itself. If you know which thread inside winlogon.exe is the one with infection you could download Process Explorer from SysInternals and snuff the particular thread with it. Otherwise I suggest some kind of online virus scan or several of them.

Process Explorer can be found from http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx

]]> By: Jonathan http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-244 Jonathan Mon, 03 Sep 2007 22:06:07 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-244 I've just noticed that winlogon.exe is still trying to connect to 81.95.146.254. I thought I had this thing cleaned off. Have you got any suggestions for cleaning this thing (bar a complete system reinstall) ?? I'll read up on that ISP. Would that tracker help me to monitor if Virut is still actively trying to access the net (and thus still active on my system)? Cheers, Jonathan I’ve just noticed that winlogon.exe is still trying to connect to 81.95.146.254.
I thought I had this thing cleaned off. Have you got any suggestions for cleaning this thing (bar a complete system reinstall) ??

I’ll read up on that ISP.

Would that tracker help me to monitor if Virut is still actively trying to access the net (and thus still active on my system)?

Cheers,
Jonathan

]]> By: toni http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-243 toni Mon, 03 Sep 2007 10:34:11 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-243 Hi, thanks for the info :) Virut Watcher is a small botnet tracker I did for tracking the Virut botnet. it's about 1500 bytes in size and written in assembly. The last IP in that list (81.95.146.254) belongs to Russian Business Network, which is a rogue ISP in Russia. Verisign did an excellent report on them a while back: http://www.economist.com/displayStory.cfm?story_id=9723768&fsrc=RSS http://www.theage.com.au/news/business/from-russia-with-malice-criminals-trawl-the-world/2007/07/23/1185043032049.html?page=fullpage#contentSwap1 Hi,
thanks for the info :)

Virut Watcher is a small botnet tracker I did for tracking the Virut botnet. it’s about 1500 bytes in size and written in assembly.

The last IP in that list (81.95.146.254) belongs to Russian Business Network, which is a rogue ISP in Russia. Verisign did an excellent report on them a while back:
http://www.economist.com/displayStory.cfm?story_id=9723768&fsrc=RSS
http://www.theage.com.au/news/business/from-russia-with-malice-criminals-trawl-the-world/2007/07/23/1185043032049.html?page=fullpage#contentSwap1

]]> By: Jonathan http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-242 Jonathan Mon, 03 Sep 2007 10:05:14 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-242 Hi there, I've just been dealing with a Virut virus on my machine. The IPs (and trailing folder locations it has been trying to access to download various trojans etc are: 85.114.140.107/-grander/dl.exe 85.114.140.107/-grander/adv735.exe 81.95.146.254 Perhaps this info helps you in your exploration of this virus. By the way, what is the "Virut Watcher" application you are using? Regards, Jonathan Hi there,
I’ve just been dealing with a Virut virus on my machine.
The IPs (and trailing folder locations it has been trying to access to download various trojans etc are:
85.114.140.107/-grander/dl.exe
85.114.140.107/-grander/adv735.exe
81.95.146.254

Perhaps this info helps you in your exploration of this virus.
By the way, what is the “Virut Watcher” application you are using?

Regards,
Jonathan

]]> By: toni http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-36 toni Wed, 25 Apr 2007 05:10:32 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-36 Gandi has, as far as I can tell, been on the good side. We need more responsible registrars like them to effectively battle against various malware spreaders. Gandi has, as far as I can tell, been on the good side. We need more responsible registrars like them to effectively battle against various malware spreaders.

]]> By: MAD http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-33 MAD Tue, 24 Apr 2007 05:52:08 +0000 http://www.teamfurry.com/wordpress/2007/03/26/more-malware-by-the-virut-gang/#comment-33 XGJAMTULUX.COM have been taken down. Thanks to, Gandi. Regards, XGJAMTULUX.COM have been taken down.
Thanks to, Gandi.

Regards,

]]>