The IE Exploit URLs on IRC

  • Hey - turns out IRC is out and something a little more modern has taken it's place... A little thing called Discord!

    Join our community @ https://discord.gg/JuaSzXBZrk for a pick-up game, or just to rekindle with fellow community members.

Crazy Squirrel

Crazy Squirrel

<b>***** *****istrator</b><br>Keeper of the BOOM S
May 28, 2001
3,955
0
London, UK
As some of you know there are a few IE exploits going round on the forums....

Best advice? Change your default browser to something other than IE.

Second best advice, before you click a link wait 30 seconds to see if they lose their connection - classic sign that the exploit rebooted them and posted the link to their mirc.


What does it do?

Well, it seems to mess around with notepad.exe and mirc.exe, how exactly i'm not sure. The mirc.exe in c:\ just seems to be the trojan file which aims to crash your machine. notepad.exe seems to get infected, and when you run it it reactivates the trojan.....
The infected notepad.exe is 225kb and will be in the system dir. The legit notepad.exe should be 64.5kb (at least in XP)

The virus is identified as Win32:Natali
Information:
http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=58420&VName=TROJ_NATALI.A
http://fr.trendmicro-europe.com/ent...tail.php?id=58420&VName=TROJ_NATALI.A&VSect=T

Make sure you get rid of the dodgy files in c:\ and the fix.bat in the startup folder. Get rid of the dodgy notepad.exe and copy the legit one into the system dir (so it works when u click ur shortcut). You may need to boot into safe mode.


For a free virus scanner I recomend Avast : http://www.avast.com/i_idt_1016.html
AVG has gotten a bit poo recently, It didn't pick up Natali when i tried the other day.
 
Last edited:
Yeah, it does seem to destroy it's own payload (fix.bat actually undoes the notepad.exe damage it seems), but it doesn't seem consistant.
 
i had some update issiues with AVG, ut i patched it like necers said and scanned again np. doing avast now.....(waits sum), found nothing.
 
Depends really, these ones being put on IRC are quite obvious to the average user that they are doing something bad - i.e. it reboots the machine and some funny windows pop up. But there is or will be sites out there that do it with more stealth.

For example anyone viewing the 'screen shots thread' link without some sort of firewall to stop the dropped trojan would have been in shit street without knowing they'd been comprimised. It's not as if virus scanners are picking all these things up :| Still to find something that detects the trojan from the 'screen shot' thread.

MS really need to get some patches out asap. :(

Good link btw, House call is a good online scanner.
 
for two days already I see a winlogon.exe in the Task Manager, it's auto launched on startup, and when I try to kill the process, windows reports that it is not possible to kill this particular (critical) process.

The file is located in C:\WINDOWS\winlogon.exe 114 kb in size. Does anyone know what it does?`Maybe Ive just not noticed it over the years and it has always been there :P

NAV hasnt reported anything scanning this file (with newest info) so far (Im following Miners advice since Ive seen this news :P) but Ive not done a complete AV scan as this takes ages usually and there doesnt seem to be any sign of a virus yet.
 
I'm not 100% sure but I think Search and Destroy removed it, I'll scan my home pc later, else I have to follow the norton manual (disable system restore ect.)
 
Posting all the sensible reasons to drop IE as your browser for sheer security reasons alone, would take up more screen realestate and time than I can possible be arsed. Just know that it is easier than you could ever expect to deliver malicious payload, ie a trojan, etc. to your machine using fully disclosed techniques readily available. The rate at which MS patches these known bugs, is appaling and does nothing to secure the regulair enduser.

Also, as I've pointed out earlier, AV software is _not_ well equipped to detect trojans, while trojan scanners are available, some of which I am told are quite good, it's still not a intelligent solution... your computer will still be vulnerable for as long as you choose to trust MS out of the box technology.

Other browsers are vulnerable to various security problems as well, needles to say, but none to the extent IE is.
 
sobo said:
for two days already I see a winlogon.exe in the Task Manager, it's auto launched on startup, and when I try to kill the process, windows reports that it is not possible to kill this particular (critical) process.

The file is located in C:\WINDOWS\winlogon.exe 114 kb in size. Does anyone know what it does?`Maybe Ive just not noticed it over the years and it has always been there :P

NAV hasnt reported anything scanning this file (with newest info) so far (Im following Miners advice since Ive seen this news :P) but Ive not done a complete AV scan as this takes ages usually and there doesnt seem to be any sign of a virus yet.
Click to expand...

just searched for it on google and found This page. Reading it suggest that you'll need to do a full system scan with a AV program.
 
be carefull there, the page says:

winlogin - winlogin.exe - Process Information
Process File: winlogin or winlogin.exe
Process Name: Winlogin

i have a process called winlogON.exe in my taskmanager all the time, and regarding my always updated norton and zonealarm i think its bareley possible that i caught a virus. hence i think winlogON.exe is the proper windows file so if you have it running everything is ok.
 
Possible variation on this:

Source site definition: http://www.irchighway.net/modules.php?name=News&file=article&sid=76

Some users on IRC have been infected with a trojan which leaves the following files:
If you are infected, there are two files on your hard drive that needs deletion: dllhost32.exe and winumc.exe.

There is also a script that should be unloaded from mIRC: custom1.mrc. You can then delete the file.
Click to expand...
Please update Anti Virus definitions and software firewalls, and be carefull of clicking URLs from people you do not know on IRC.
 
I was one of the infected with ^^^, and did a full virus scan with Norton this morning.
Apparently it got rid of it itself.
 
sobo said:
for two days already I see a winlogon.exe in the Task Manager, it's auto launched on startup, and when I try to kill the process, windows reports that it is not possible to kill this particular (critical) process.

The file is located in C:\WINDOWS\winlogon.exe 114 kb in size. Does anyone know what it does?`Maybe Ive just not noticed it over the years and it has always been there :P
Click to expand...
WINLOGON.EXE - thats the process, like the name already says, the WINDOWS LOGON process, to log you, supplied with an username and password, on to your machine.

It´s impossible to kill it, and it´s NOT a VIRUS/TROJAN. Dont think of disabling it ever, i´ve warned you! :P
 
So its just the Trojan Poof copied onto my machine to view my pr0n innit? :P


Logon ?:eek:
Iver never needed to logon with a username/password since ive got my comp (using WinXP Prof)
 
i installed mozilla's firefox and tried it for some days for security reasons.
that thing is crap, its only able to correctly display every other hp, maybe thats just coz of the webbys being optimized for IE but its still annoying.
 
it's definetly not "crap", the mozilla family of browser are the most compliant of all webbrowser, thats the whole idea of the project, so maybe the website you visit, are all crap?
 
You must log in or register to reply here.
Top Bottom
Back