| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 49397 | 2004-09-18 01:57:00 | crvss.exe alert | drb1 (4492) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 273384 | 2004-09-18 01:57:00 | crvss . exe google not yet listed, lives in winnit sys32 (of course) . Sends large quantities of information Somwhere . Detected by zone alarm as outgoing request . Not detected by avg or various other tools as yet . Constant running task refuses to be stopped in task manager . makes comupter slow obviously . remove from outside operating system . FYI . D . |
drb1 (4492) | ||
| 273385 | 2004-09-18 02:10:00 | Good no you. Any idea how/where you got this? | mark c (247) | ||
| 273386 | 2004-09-18 02:17:00 | It could be this. It installs this file securityresponse.symantec.com |
Spacemannz (808) | ||
| 273387 | 2004-09-18 02:18:00 | Mark c, You wont like this, here or Trade me. I was here, I was there, then here, then zone alarm made a request, brand new program less than 3 minuets after install, no restart required. very fast information upload. D. |
drb1 (4492) | ||
| 273388 | 2004-09-18 02:19:00 | oops try again When Backdoor . Sdbot . AB is executed, it performs the following actions: Creates the following copy of itself: %system%\crvss . exe Note: %System% is a variable that refers to the System folder . By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP) . Adds the value: "Windows media service"="crvss . exe" to the following registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run Attempts to access the network share folder $IPC . If the network share folder is password-protected, the Trojan horse attempts to gain access using the following user names and passwords: User names: db2 oracle dba database default guest wwwadmin teacher student owner computer staff admins administrat administrateur administrador administrator Passwords: intranet lan main winpass blank office control nokia siemens compaq dell cisco ibm orainstall sqlpassoainstall sql db1234 db1 databasepassword data databasepass dbpassword dbpass access domainpassword domainpass domain hello hell god sex **** ***** **** exchange backup technical loginpass login mary katie kate george eric chris ian neil lee brian susan sue sam luke peter john mike bill fred joe jen bob qwe zxc asd qaz win2000 winnt winxp win2k win98 windows oeminstall oemuser oem user homeuser home accounting accounts internet www web outlook qwerty null server system changeme linux unix demo none test 2004 2002 2001 2000 1234567890 123456789 12345678 1234567 123456 12345 1234 123 007 pwd pass pass1234 passwd password password1 adm db2 oracle dba database default guest wwwadmin teacher student owner computer staff admins administrat administrateur administrador administrator Opens a backdoor by connecting to the IRC server newuslut . parited . net on TCP port 6564, and listening for commands from a remote attacker . These commands may allow a remote attacker to perform some of the following actions: Perform a Denial of Service (DoS) attack against a target host Retrieve system information Connect to a URL Upload and download files Execute programs Log keystrokes Sniff network packets Conduct port scans against other computers Steal the Windows Product ID Steals CD keys for the following games: Neverwinter Nights (Hordes of the Underdark) Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights Soldier of Fortune II - Double Helix Software\Activision\Soldier of Fortune II - Double Helix Hidden & Dangerous 2 Chrome NOX Command and Conquer: Red Alert 2 Command and Conquer: Red Alert Command and Conquer: Tiberian Sun Rainbow Six III RavenShield Nascar Racing 2003 Nascar Racing 2002 NHL 2003 NHL 2002 FIFA 2003 FIFA 2002 Shogun: Total War: Warlord Edition Need For Speed: Underground Need For Speed Hot Pursuit 2 Medal of Honor: Allied Assault: Spearhead Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault Global Operations Command and Conquer: Generals James Bond 007: Nightfire Command and Conquer: Generals (Zero Hour) Black and White Battlefield Vietnam Battlefield 1942 (Secret Weapons of WWII) Battlefield 1942 (Road To Rome) Battlefield 1942 Freedom Force IGI 2: Covert Strike Unreal Tournament 2004 Unreal Tournament 2003 Microsoft Windows Product ID ProductId Soldiers Of Anarchy Legends of Might and Magic Industry Giant 2 Half-Life Gunman Chronicles The Gladiators Counter-Strike Disable system restore Then Click Start > Run . Type regedit Then click OK . Navigate to the keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run In the right pane, delete the value: "Windows media service"="crvss . exe" Exit the Registry Editor . |
Spacemannz (808) | ||
| 273389 | 2004-09-18 02:40:00 | Spacemannz, Thats probably him, Why would they want old w2k product keys? And very little under his name on google too. D. |
drb1 (4492) | ||
| 273390 | 2004-09-18 03:00:00 | It's a trojan/backdoor. Thats what they do steal information. | Spacemannz (808) | ||
| 1 | |||||