Bad bad website - attention admins!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Want a big load of undetectable malware loaded on your computer? Go here
with IE:
http://american-redbud-tree.jerome.semibay.com/

If you go there with Firefox on windows it goes to a different site, and
it you go to it with FF on a linux machine it comes up with a 404.

Had a customer get into this and what it put on her computer was not
detectable by NOD32, MSAS, Spybot, etc... It is using something that
hides the files and registry entries from the windows API. Not ADS...
--
Scott Bolander
Computer Services of Cincinnati
http://www.cincysystems.com
http://www.getwithme.com
(e-mail address removed)
513-266-6656
Ask me about our SPAM and Virus filtering service for your e-mail
 
It's about one computer user helping another!

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
 
I just went to this website and Windows XP SP2 stoped anything from being
installed on my machine, I got the active x warning that stated a program
want to download to my computer, and a flash floater telling me to allow it.
So what is the problem?

SP2 protected me, and I don't even have MSAS installed on this machine :)
I use IE6 and I am as secure as FF or OSX :)
 
Maybe this site has changed things or the user who got infected picked up
the malware from another site because I'm seeing the same as JoeM, Visiting
that site even with SP1 still presents a pop up asking if you accept IST, If
you choose "yes" then Microsoft Antispyware will display a Red Alert Pop Up
showing YourSiteBar is trying to install, If you then choose Allow on the
alert IST will drop some files onto the system but if you choose No on the
initial agreement nothing will install.

Here's what happened when I just visited that page, First it displays this:

Page Is Loading...
Please click "Yes" to have all media on this page displayed properly

Then a Pop up agreement showing:

Security Warning
Do You want to install and run "Instant Website Access - Click Yes ! -
By Clicking yes, you are agreeing to install yoursitebar, other ad
supported softwares and to the terms and conditions" signed on 10/11/2005
and distriibuted by:

Integrated Search Technologies

Click NO and nothing will install but it will sow a alert saying you must
install to view the content, click Yes and then IST installs files onto the
system, after the installation is finished the page is redirected to
mrbloodhound.com showing the page wasnt found and then displaying a menu for
online casinos, Insurance, Affiliate programs and other junk.

Here's the main changes that take place on the system (Ive left out some of
the subkeys):

Registry
********
Keys added:
--------------

HKEY_CURRENT_USER\Software\IST
HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YSBactivex.dll

Values added:
----------------

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658} "(Default)"
Type: REG_SZ Data: Installer Class

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}\InprocServer32 "(Default)" Type: REG_SZ
Data: C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}\ProgID
"(Default)" Type: REG_SZ Data: YSBactivex.Installer

HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
"(Default)" Type: REG_SZ Data: IInstaller

HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0\win32
"(Default)" Type: REG_SZ
Data: C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

HKEY_CLASSES_ROOT\YSBactivex.Installer "(Default)" Type: REG_SZ Data:
Installer Class

HKEY_CLASSES_ROOT\YSBactivex.Installer\CLSID "(Default)" Type: REG_SZ
Data: {42F2C9BA-614F-47c0-B3E3-ECFD34EED658}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\Contains\Files
"C:\WINDOWS\Downloaded Program Files\YSBactivex.dll" Type: REG_SZ Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\DownloadInformation "CODEBASE"
Type: REG_SZ
Data: h**p://66.29.7.159/toolbar/cabs/free_access.cab

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YSBactivex.dll ".Owner"
Type: REG_SZ Data: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658}

------------------------------------------------------------------------------

Files added:
---------------

c:\Documents and Settings\Andy Manchesta\Cookies\andy
(e-mail address removed)[1].txt
Size: 204 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temp\iinstall.exe
Size: 26,624 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temporary Internet
Files\Content.IE5\89UVGL6J\free_access[1].cab
Size: 31,931 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temporary Internet
Files\Content.IE5\RRSCMCGL\istdownload[1].exe
Size: 26,624 bytes

c:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Size: 69,632 bytes


So its right for people to stay away from this site but it's all done with
consent and not using any exploits to get onto the system. Just another junk
site to add to the list :)
 
He way have his settings set to low, or he may have added this site into the
trusted zone. This is the only way (besides the site changing their code)
to get infected. I have always hit no when asked to install
something(unless I trusted the site), and have recived 0 spyware for the
last 10 years.

AndyManchesta said:
Maybe this site has changed things or the user who got infected picked up
the malware from another site because I'm seeing the same as JoeM,
Visiting
that site even with SP1 still presents a pop up asking if you accept IST,
If
you choose "yes" then Microsoft Antispyware will display a Red Alert Pop
Up
showing YourSiteBar is trying to install, If you then choose Allow on the
alert IST will drop some files onto the system but if you choose No on the
initial agreement nothing will install.

Here's what happened when I just visited that page, First it displays
this:

Page Is Loading...
Please click "Yes" to have all media on this page displayed properly

Then a Pop up agreement showing:

Security Warning
Do You want to install and run "Instant Website Access - Click Yes ! -
By Clicking yes, you are agreeing to install yoursitebar, other ad
supported softwares and to the terms and conditions" signed on 10/11/2005
and distriibuted by:

Integrated Search Technologies

Click NO and nothing will install but it will sow a alert saying you must
install to view the content, click Yes and then IST installs files onto
the
system, after the installation is finished the page is redirected to
mrbloodhound.com showing the page wasnt found and then displaying a menu
for
online casinos, Insurance, Affiliate programs and other junk.

Here's the main changes that take place on the system (Ive left out some
of
the subkeys):

Registry
********
Keys added:
--------------

HKEY_CURRENT_USER\Software\IST
HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/YSBactivex.dll

Values added:
----------------

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658} "(Default)"
Type: REG_SZ Data: Installer Class

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}\InprocServer32
"(Default)" Type: REG_SZ
Data: C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}\ProgID
"(Default)" Type: REG_SZ Data: YSBactivex.Installer

HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
"(Default)" Type: REG_SZ Data: IInstaller

HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0\win32
"(Default)" Type: REG_SZ
Data: C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

HKEY_CLASSES_ROOT\YSBactivex.Installer "(Default)" Type: REG_SZ Data:
Installer Class

HKEY_CLASSES_ROOT\YSBactivex.Installer\CLSID "(Default)" Type: REG_SZ
Data: {42F2C9BA-614F-47c0-B3E3-ECFD34EED658}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\Contains\Files
"C:\WINDOWS\Downloaded Program Files\YSBactivex.dll" Type: REG_SZ Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\DownloadInformation
"CODEBASE"
Type: REG_SZ
Data: h**p://66.29.7.159/toolbar/cabs/free_access.cab

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/YSBactivex.dll ".Owner"
Type: REG_SZ Data: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658}

------------------------------------------------------------------------------

Files added:
---------------

c:\Documents and Settings\Andy Manchesta\Cookies\andy
(e-mail address removed)[1].txt
Size: 204 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temp\iinstall.exe
Size: 26,624 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temporary Internet
Files\Content.IE5\89UVGL6J\free_access[1].cab
Size: 31,931 bytes

c:\Documents and Settings\Andy Manchesta\Local Settings\Temporary Internet
Files\Content.IE5\RRSCMCGL\istdownload[1].exe
Size: 26,624 bytes

c:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Size: 69,632 bytes


So its right for people to stay away from this site but it's all done with
consent and not using any exploits to get onto the system. Just another
junk
site to add to the list :)
Click to expand...
 
Back
Top