Comments on: Another Identity Theft Story http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2 Fri, 18 May 2012 09:34:59 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jonah http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10147 Jonah Thu, 28 Aug 2008 23:32:55 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10147 Hi, I ran into the downloader.z virus today on one of my client's workstations. This blog definitely drove the concept of safe computing home to him. I found that I was able to remove it by first identifying the name of the .dat file created in the windows\system32 directory. Look for any .dat files starting with two underscores. Once identified,boot the workstation with the WinXP CD and start Recovery Mode. From the DOS prompt, changed to the system32 folder (cd \windows\system32) then removed the .dat file (del __*.dat). Once this is gone, reboot from the hard drive and start regedit. Navigate to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Delete the key with the same name as the .dat file (will start with two underscores). If downloader.z was the only infection on the workstation, this completes the removal as far as I can determine on initial examination. Hi,
I ran into the downloader.z virus today on one of my client’s workstations. This blog definitely drove the concept of safe computing home to him. I found that I was able to remove it by first identifying the name of the .dat file created in the windows\system32 directory. Look for any .dat files starting with two underscores. Once identified,boot the workstation with the WinXP CD and start Recovery Mode. From the DOS prompt, changed to the system32 folder (cd \windows\system32) then removed the .dat file (del __*.dat). Once this is gone, reboot from the hard drive and start regedit. Navigate to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Delete the key with the same name as the .dat file (will start with two underscores). If downloader.z was the only infection on the workstation, this completes the removal as far as I can determine on initial examination.

]]> By: Jennifer http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10146 Jennifer Wed, 20 Aug 2008 20:49:42 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10146 Hi, I am new to all of this computer stuff. I run McAfee virus software. I have found the downloader.z virus on my computer. It won't allow me to move, delete or clean the file. Can you please advise me how to proceed as I don't want to be a part of identity scams. Thanks, Jennifer Hi,
I am new to all of this computer stuff. I run McAfee virus software. I have found the downloader.z virus on my computer. It won’t allow me to move, delete or clean the file. Can you please advise me how to proceed as I don’t want to be a part of identity scams.

Thanks,
Jennifer

]]> By: Deepak http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10145 Deepak Tue, 08 Apr 2008 04:58:56 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10145 well congrats to you for such a nice research but I am happy to say that My antivirus had successfully detected this virus and I am safe ... I am using Eset Smart Security ..:) well congrats to you for such a nice research but I am happy to say that My antivirus had successfully detected this virus and I am safe …

I am using Eset Smart Security ..:)

]]> By: ChaosKaizer http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10144 ChaosKaizer Sat, 24 Nov 2007 02:44:10 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10144 Amazing very details analysis. I was looking for "JS/Exploit.ADODB.Stream NAP Trojan" when i found this blog. Anyway I found a website that distribute part of this trojan - 72.232.214.18 thanks Amazing very details analysis. I was looking for “JS/Exploit.ADODB.Stream NAP Trojan” when i found this blog.

Anyway I found a website that distribute part of this trojan – 72.232.214.18

thanks

]]> By: IRTGuy http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10143 IRTGuy Thu, 31 May 2007 17:00:52 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10143 I did the forensics on one of these back in October... The version I was looking at did a very good job of cleaning up after itself. The only reason I got half of what I did was yanking the power out of the back of the computer, leaving stuff in the pagefile, some random stuff in freespace, etc... Scary stuff. I did the forensics on one of these back in October… The version I was looking at did a very good job of cleaning up after itself. The only reason I got half of what I did was yanking the power out of the back of the computer, leaving stuff in the pagefile, some random stuff in freespace, etc…

Scary stuff.

]]> By: PAGET Francois http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10142 PAGET Francois Wed, 30 May 2007 06:51:40 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10142 When we discovered this threat, some files involved in this attack were not detected. Submissions to websites like AVcomparatives.org showed some dangerous misses. Now - and for these files - the situation is improving. But, as you could read in our topic, an administrator web site existed. It disappeared after our investigations, but no doubt he is now running under a new IP address. To prove this, please note the collector web size is up again; it doubled between last Saturday and now. No doult also it distributes updated malware in order to impede our progress. Consequently, up-to-date anti-viruses with a large detection spectrum is more than ever essential face to such attacks which use downloaders, keylogger, PWS, bot and others kind of malware. I cannot confirm the security tools you quoted detects all the elements involved in this threat but I also cannot assert the opposite. When we discovered this threat, some files involved in this attack were not detected. Submissions to websites like AVcomparatives.org showed some dangerous misses. Now – and for these files – the situation is improving. But, as you could read in our topic, an administrator web site existed. It disappeared after our investigations, but no doubt he is now running under a new IP address. To prove this, please note the collector web size is up again; it doubled between last Saturday and now. No doult also it distributes updated malware in order to impede our progress. Consequently, up-to-date anti-viruses with a large detection spectrum is more than ever essential face to such attacks which use downloaders, keylogger, PWS, bot and others kind of malware. I cannot confirm the security tools you quoted detects all the elements involved in this threat but I also cannot assert the opposite.

]]> By: Surfer http://blogs.mcafee.com/mcafee-labs/another-identity-theft-story-2/comment-page-1#comment-10141 Surfer Sun, 27 May 2007 02:18:05 +0000 http://blogs.mcafee.com/2007/05/25/another-identity-theft-story-2/#comment-10141 Wow! The research, that you have done guys is really fascinating, but please make it clear for me. If I had any of the anti-keylogging software listed here(http://anti-keylogger.org/) installed(the most popular and giving the most strong protection from keylogging as I can understand) would this site pose a threat fro me? Or not? Wow! The research, that you have done guys is really fascinating, but please make it clear for me. If I had any of the anti-keylogging software listed here(http://anti-keylogger.org/) installed(the most popular and giving the most strong protection from keylogging as I can understand) would this site pose a threat fro me? Or not?

]]>