plun said:Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending loop.
If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which comes
in the system tray. This is really annoying for the user with both this
warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error during
cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll -> Downloader.SpyAxe :
Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
Thanks - this is bad news that AVG is missing the payload. The revised
bulletin has a list of vendors who are claiming detection--AVG wasn't on the
list.
I hope that they (AVG) will get some feedback, preferably from paying
customers, about that.
--
plun said:Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending loop.
If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which comes
in the system tray. This is really annoying for the user with both this
warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error during
cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll -> Downloader.SpyAxe :
Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
plun said:Hi Bill
I also tested it with my TrenMicro PC Cillin and it comes
up with the Trojan.Nascene directly
But this is "Social Engineering" and I understand MS.
Mostly of this is spread within Internets cloak so
a lot of users maybe learns a lesson about crackz,
prOn and gambling.
But it´s a hard way.
Hopefully these trojans will be out of respected sites until
MS patch.
regards
plun
Bill Sanderson formulated on tisdag :Thanks - this is bad news that AVG is missing the payload. The revised
bulletin has a list of vendors who are claiming detection--AVG wasn't on
the list.
I hope that they (AVG) will get some feedback, preferably from paying
customers, about that.
--
plun said:Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending
loop. If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which comes
in the system tray. This is really annoying for the user with both
this warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error
during cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll -> Downloader.SpyAxe
: Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
http://www.microsoft.com/technet/security/advisory/912840.mspx
Presently, they are targetting a patch release with the normal monthly
security patches, on January 10th.
http://blogs.technet.com/msrc/
has a new post today. It is interesting reading I think. Knowledgable folks
disagree on how this is being handled--Sans.org seems to be upset, although I
can't reliably read their pages at the moment.
Do you have any picture about the "how" of the infected machines you've seen?
i.e. what kinds of actions led to the infection?
--
plun said:Hi Bill
I also tested it with my TrenMicro PC Cillin and it comes
up with the Trojan.Nascene directly
But this is "Social Engineering" and I understand MS.
Mostly of this is spread within Internets cloak so
a lot of users maybe learns a lesson about crackz,
prOn and gambling.
But it´s a hard way.
Hopefully these trojans will be out of respected sites until
MS patch.
regards
plun
Bill Sanderson formulated on tisdag :Thanks - this is bad news that AVG is missing the payload. The revised
bulletin has a list of vendors who are claiming detection--AVG wasn't on
the list.
I hope that they (AVG) will get some feedback, preferably from paying
customers, about that.
--
Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending loop.
If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which comes
in the system tray. This is really annoying for the user with both this
warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error during
cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll -> Downloader.SpyAxe
: Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
http://www.microsoft.com/technet/security/advisory/912840.mspx
Presently, they are targetting a patch release with the normal monthly
security patches, on January 10th.
plun said:Hi Bill
It´s exactly this warning as reported from F-Secure
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
and then also MSAS Spyaxe red box warning.
The user tried to remove it with MSAS but this was an endless loop.
I cannot say what actions lead to this beacuse I was putting
up an wireless router/DSL connection when I saw this Spyaxe warning from
MSAS and talk with an angry/frustrated user/owner
I can check his IE history tomorrow beacuse I don´t believe he
is an "Tracks eraser" user
Nevertheless I´m sure that this comes from the lower parts of
Internet......... (and MS is also aware of this)
So this exploit will probably only hit unprotected small business/home
users and never hit larger corporate protected users or home users with
paid subscription from major vendors.
Maybe hard............
regards
plun
Bill Sanderson submitted this idea :http://blogs.technet.com/msrc/
has a new post today. It is interesting reading I think. Knowledgable
folks disagree on how this is being handled--Sans.org seems to be upset,
although I can't reliably read their pages at the moment.
Do you have any picture about the "how" of the infected machines you've
seen? i.e. what kinds of actions led to the infection?
--
plun said:Hi Bill
I also tested it with my TrenMicro PC Cillin and it comes
up with the Trojan.Nascene directly
But this is "Social Engineering" and I understand MS.
Mostly of this is spread within Internets cloak so
a lot of users maybe learns a lesson about crackz,
prOn and gambling.
But it´s a hard way.
Hopefully these trojans will be out of respected sites until
MS patch.
regards
plun
Bill Sanderson formulated on tisdag :
Thanks - this is bad news that AVG is missing the payload. The revised
bulletin has a list of vendors who are claiming detection--AVG wasn't
on the list.
I hope that they (AVG) will get some feedback, preferably from paying
customers, about that.
--
Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending
loop. If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which
comes
in the system tray. This is really annoying for the user with both
this warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error
during cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll ->
Downloader.SpyAxe
: Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
http://www.microsoft.com/technet/security/advisory/912840.mspx
Presently, they are targetting a patch release with the normal
monthly security patches, on January 10th.
I'm not the kind of person who says that a user who visits a "bad" site
deserves what they get. That may be true, but it sure isn't a principle I
want to go by.
I don't think that kind of thinking is in Microsoft's calculus about this
issue, either, although it may well work out that it is the case, in the end.
Even a 1 percent "problem" with a released patch is likely to impact far
more people than are likely to go to the sites currently making use of the
exploit. They really do need to do that testing, I believe, and I'm quite
sure that they've put a lot of thought into whether it could be done faster.
Between creating the testing for all the languages and versions of Windows,
and also beta testing with third parties, there's a good deal of time
involved. And I believe that experience has proven the third-party testing
to be valuable--no easy shortcuts.
--
plun said:Hi Bill
It´s exactly this warning as reported from F-Secure
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
and then also MSAS Spyaxe red box warning.
The user tried to remove it with MSAS but this was an endless loop.
I cannot say what actions lead to this beacuse I was putting
up an wireless router/DSL connection when I saw this Spyaxe warning from
MSAS and talk with an angry/frustrated user/owner
I can check his IE history tomorrow beacuse I don´t believe he
is an "Tracks eraser" user
Nevertheless I´m sure that this comes from the lower parts of
Internet......... (and MS is also aware of this)
So this exploit will probably only hit unprotected small business/home
users and never hit larger corporate protected users or home users with
paid subscription from major vendors.
Maybe hard............
regards
plun
Bill Sanderson submitted this idea :http://blogs.technet.com/msrc/
has a new post today. It is interesting reading I think. Knowledgable
folks disagree on how this is being handled--Sans.org seems to be upset,
although I can't reliably read their pages at the moment.
Do you have any picture about the "how" of the infected machines you've
seen? i.e. what kinds of actions led to the infection?
--
Hi Bill
I also tested it with my TrenMicro PC Cillin and it comes
up with the Trojan.Nascene directly
But this is "Social Engineering" and I understand MS.
Mostly of this is spread within Internets cloak so
a lot of users maybe learns a lesson about crackz,
prOn and gambling.
But it´s a hard way.
Hopefully these trojans will be out of respected sites until
MS patch.
regards
plun
Bill Sanderson formulated on tisdag :
Thanks - this is bad news that AVG is missing the payload. The revised
bulletin has a list of vendors who are claiming detection--AVG wasn't on
the list.
I hope that they (AVG) will get some feedback, preferably from paying
customers, about that.
--
Hi Bill
A little about payloads......... just cleaned a PC.
- MSAS detects Spyaxe as a threat with a red box warning.
- MSAS do not detect the trojandownloader so this is a never ending
loop. If a user tries to remove this threat it comes back directly
- AVG Free also misses this trojan.
- MSAS and AVG cannot remove the false Security warning box which comes
in the system tray. This is really annoying for the user with both
this warning and MSAS warning.
Ewido detects and removes it
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:44:05, 2006-01-03
+ Report-Checksum: 894FB3A8
+ Scan result:
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}
-> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006\Software\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
HKU\S-1-5-21-1473459552-3187154459-749617727-1006_Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}
-> Downloader.SpyAxe : Cleaned with backup
[972] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Error
during cleaning
C:\WINDOWS\SYSTEM32\__delete_on_reboot__wbeconm.dll ->
Downloader.SpyAxe
: Cleaned with backup
::Report End
Done
--
plun
Bill Sanderson brought next idea :
http://www.microsoft.com/technet/security/advisory/912840.mspx
Presently, they are targetting a patch release with the normal monthly
security patches, on January 10th.
Thanks for the additional info Plun.
--
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
plun said:Hi Andre
If you want to explore this exploit closer
I have som URLs which I can send to you.
With IE6 it´s "automagic" > out of control ........
But who knows ? I believe that MS have this under control.
regards
plun
Andre Da Costa pretended :