Virus from news site

JerryMungo

Honorary Master
Joined
Jul 18, 2008
Messages
37,943
Reaction score
6,557
Just thought I'd share my experience with a virus I picked up from news.saix.net
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.

So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.

I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.

Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.

What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...

What would you reckon you would have done?
 
I would not have touched the exe file to begin with. But playing around with these virii that connect to a server using plaintext username/pass could be quite fun though... :D
 
Yeah, great Idea Noswal - yeah Killa, I blitzed his FTP account and web setup - it was a free provider and no real content, only used to steal stuff.
About FBI - I'd say 90% of the victims were european judging by the .de .nl and .be emails. Would the FBI even be interested? Nod32 apparently aren't - I think they should at the very least acknowledge receipt of the file. Makes me wonder - just after I spent money on the business edition.

Not even the hosting service acknowledged my email to them, reporting the user... that's why I decided to do something myself.
 
What would you reckon you would have done?

Firstly scan dodgy exes @ virustotal.com, you can also run exes in sandboxie or a VM to make sure your mashine does not get infected. Lastly try to avoid storing passwords on your pc.
 
Firstly scan dodgy exes @ virustotal.com, you can also run exes in sandboxie or a VM to make sure your mashine does not get infected. Lastly try to avoid storing passwords on your pc.

At least don't store your passwords in your browser without a master password.
Rather use a trusted password storage app like KeePass to store your passwords.
I have one file on my hard drive which holds all my passwords, which uses AES encryption algorithm which
even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe!
 
When will people learn not to run dodgy EXE's! Just because one AV package reports that its cleans doesnt mean it is. There are literally 1000's of new pieces of malware being released daily. Its virtually impossible for all the AV companies to keep up to date.

1) Use virustotal - if it reports that its clean then chances are 99% its safe.
2) Run suspect EXE in Sandboxie.
3) Dont run suspect EXE's
4) Dont run suspect EXE's
 
The file was cutlist plus something or other but I suspect there are many different names for the same thing since is was deliberately planted.
Virustotal reports file is clean.

Sandbox is great idea
So is keepass!
 
I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean.
Just for interest sake what does virustotal say about the file? And have Eset updated their AV?
 
Just thought I'd share my experience with a virus I picked up from news.saix.net
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.

So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.

I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.

Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.

What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...

What would you reckon you would have done?

Wow. Hectic. Kudos for following through. Please keep in mind that ESET probably receive hundreds, if not thousands of files everyday, so it will take them time to get back to you.
 
Yep, I have updated Nod32 :)

Virus total is giving grief right now... trying again. First attempt:
Exception
Please report failure as: ErrorTime= "Jul 14 12:22:59"
Attempt 2 using ssl:
Exception
Please report failure as: ErrorTime= "Jul 14 12:22:59"
 
Trying Iexplore now - same
Trying email submission next...
Oops - google won't deliver exe's
What next lol... maybe I can try the saix outgoing server... dunno...
 
Last edited:
virustotal seems to be very, very busy...


Edit: and "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
 
Top
Sign up to the MyBroadband newsletter
X