JerryMungo
Honorary Master
- Joined
- Jul 18, 2008
- Messages
- 37,943
- Reaction score
- 6,557
Just thought I'd share my experience with a virus I picked up from news.saix.net
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.
So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.
I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.
Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.
What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...
What would you reckon you would have done?
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.
So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.
I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.
Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.
What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...
What would you reckon you would have done?