Gammapedia is archived. No new edits are allowed and no new accounts can be registered.

Ikepedia is the officially decreed successor to Gammapedia concerning Gammasphere canon.

Infinitypedia is another successor.

$revenue/log2: Difference between revisions

From Gammapedia
Jump to navigationJump to search
No edit summary
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
'''URLs accessed'''
A test was done on the Abwayaxian Malware Testing Platform, which runs [[Windows 98]]. This is the results of the test.
 
==URLs accessed==


  http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=1
  http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=1
Line 43: Line 45:
  http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=849&rnd=0.4082605
  http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=849&rnd=0.4082605


'''HijackThis logs'''
==HijackThis logs==


''Before''
===Before===
  Logfile of HijackThis v1.99.1
  Logfile of HijackThis v1.99.1
  Scan saved at 1:24:17 AM, on 8/6/06
  Scan saved at 1:24:17 AM, on 8/6/06
Line 79: Line 81:
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


''After''
===After===
  Logfile of HijackThis v1.99.1
  Logfile of HijackThis v1.99.1
  Scan saved at 1:39:08 AM, on 8/6/06
  Scan saved at 1:39:08 AM, on 8/6/06
Line 119: Line 121:
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


'''Changes to Windows Filesystem'''
==Changes to Windows Filesystem==
  *****************************
  *****************************
  COMPARING RECORDS FROM C:\ ROOT
  COMPARING RECORDS FROM C:\ ROOT
Line 185: Line 187:
  *****************************
  *****************************


'''Registry Changes'''
==Registry Changes==
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\Contact: "Customer Support Department"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\Contact: "Customer Support Department"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayName: "Command"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayName: "Command"

Latest revision as of 03:29, 8 August 2006

A test was done on the Abwayaxian Malware Testing Platform, which runs Windows 98. This is the results of the test.

URLs accessed

http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=1
http://194.187.45.55/MTE3NDI6ODoxNg.exe
http://content.dollarrevenue.com/nwnmff_7.exe
http://content.dollarrevenue.com/dfndrff_7.exe
http://content.dollarrevenue.com/kybrdff_7.exe
http://www.onli-ne.com/app/ADDR/Installer.exe
http://promo.dollarrevenue.com/webmasterexe/drsmartload45a.exe
http://promo.dollarrevenue.com/webmasterexe/drsmartload46a.exe
http://promo.dollarrevenue.com/webmasterexe/drsmartload849a.exe
http://194.187.45.55/MTE3NDI6ODoxNg.exe
http://command.adservs.o
http://command.adservs.com/binaries/installer_9x.php?a=MTE3NDI6ODoxNg
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2F194%2E187%2E45%2E55%2FMTE3NDI6ODoxNg%2Eexe&id=1
http://content.dollarrevenue.com/nwnmff_7.exe
http://csx.adservs.com/checkin.php?affid=MTE3NDI6ODoxNg&msg=success
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fnwnmff%5F7%2Eexe&id=1
http://content.dollarrevenue.com/dfndrff_7.exe
http://80gw6ry3i3x3qbrkwhxhw.032439.com/client.php?str=/yfwar6fICKBx2qrDXg9BV/fv/jVhqN8gXXOzYkEdJLFuPkpSzPhh9Qx5B/5bH4b
http://command.adservs.com/binaries/relevance.dat
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fdfndrff%5F7%2Eexe&id=1
http://content.dollarrevenue.com/kybrdff_7.exe
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fkybrdff%5F7%2Eexe&id=1
http://www.onli-ne.com/app/ADDR/Installer.exe
www.onli-ne.com
http://www.nonameforthisdomain.com/data.asp?rnd=0.3843958&antisp=1
www.nonameforthisdomain.com
http://content.dollarrevenue.com/kybrdff_7.exe
http://www.findthewebsiteyouneed.com
http://searchbar.findthewebsiteyouneed.com
http://content.dollarrevenue.com/dfndrff_7.exe
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fwww%2Eonli%2Dne%2Ecom%2Fapp%2FADDR%2FInstaller%2Eexe&id=1
http://promo.dollarrevenue.com/webmasterexe/drsmartload45a.exe
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload45a%2Eexe&id=1
http://promo.dollarrevenue.com/webmasterexe/drsmartload46a.exe
http://promo.dollarrevenue.com/bundle/loader.exe
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload46a%2Eexe&id=1
http://promo.dollarrevenue.com/webmasterexe/drsmartload849a.exe
http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload849a%2Eexe&id=1
http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=45&rnd=0.3896601
http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=46&rnd=0.6209986
http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=849&rnd=0.4082605

HijackThis logs

Before

Logfile of HijackThis v1.99.1
Scan saved at 1:24:17 AM, on 8/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
 
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE
C:\WINDOWS\SYSTEM\VMSRVC.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\PROGRAM FILES\URLSNOOPER2\URLSNOOPER.EXE
C:\PROGRAM FILES\FILEMAP BY BB V405\FILEMAP.EXE
C:\REGSHOT\REGSHOT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
O4 - HKLM\..\Run: [VMServices] C:\WINDOWS\SYSTEM\VMSrvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After

Logfile of HijackThis v1.99.1
Scan saved at 1:39:08 AM, on 8/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE
C:\WINDOWS\SYSTEM\VMSRVC.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\PROGRAM FILES\URLSNOOPER2\URLSNOOPER.EXE
C:\PROGRAM FILES\FILEMAP BY BB V405\FILEMAP.EXE
C:\REGSHOT\REGSHOT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\QWJ3YXLHEAAA\COMMAND.EXE
C:\DFNDRFF_7.EXE
C:\KYBRDFF_7.EXE
C:\WINDOWS\RUNDLL32.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
O4 - HKLM\..\Run: [VMServices] C:\WINDOWS\SYSTEM\VMSrvc.exe
O4 - HKLM\..\Run: [Command] C:\WINDOWS\QWJ3YXlheAAA\command.exe
O4 - HKLM\..\Run: [newname] C:\\NWNMFF_7.exe
O4 - HKLM\..\Run: [defender] C:\\DFNDRFF_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\KYBRDFF_7.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Changes to Windows Filesystem

*****************************
COMPARING RECORDS FROM C:\ ROOT
*****************************
-----------------------------
These files were present at:
06 Aug 06 at 01:37:02
but not on:
06 Aug 06 at 01:21:27
-----------------------------
dfndrff_7.exe
drsmartload.exe
drsmartload45a8a.exe
drsmartload46a8a.exe
drsmartload849a8a.exe
installer3.exe
kybrdff_7.exe
mte3ndi6odoxng.exe
nwnmff_7.exe
-----------------------------
These files were present at:
06 Aug 06 at 01:21:27
but not on:
06 Aug 06 at 01:37:02
-----------------------------
-----------------------------
*****************************
*****************************
COMPARING RECORDS FROM  WINDOWS
*****************************
-----------------------------
These files were present at:
06 Aug 06 at 01:37:11
but not on:
06 Aug 06 at 01:21:27
-----------------------------
hosts
keyboard1.dat
-----------------------------
These files were present at:
06 Aug 06 at 01:21:27
but not on:
06 Aug 06 at 01:37:11
-----------------------------
-----------------------------
*****************************
*****************************
COMPARING RECORDS FROM   SYSTEM
*****************************
-----------------------------
These files were present at:
06 Aug 06 at 01:37:18
but not on:
06 Aug 06 at 01:21:27
-----------------------------
opgfs400.dll
uldm16.dll
-----------------------------
These files were present at:
06 Aug 06 at 01:21:27
but not on:
06 Aug 06 at 01:37:18
-----------------------------
-----------------------------
*****************************

Registry Changes

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\Contact: "Customer Support Department"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayName: "Command"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayVersion: "1.0.1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoModify: 0x00000001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoRemove: 0x00000000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoRepair: 0x00000001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\UninstallString: "wscript "C:\WINDOWS\QWJ3YXlheAAA\pge0.vbs""
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{E5F6E74B-BE35-3B3D-54D4-00F0412DEABA}: ""
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Command: "C:\WINDOWS\QWJ3YXlheAAA\command.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\newname: "C:\\NWNMFF_7.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\defender: "C:\\DFNDRFF_7.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\keyboard: "C:\\KYBRDFF_7.exe"