Solved

Any known security threats / issues with http://www.d-reports.org?

Posted on 2004-08-22
9
268 Views
Last Modified: 2013-12-04
Hi,

One of my customers received the following and inadvertantly clicked on the hyper-link. Just wondering if anyone knows of any security scams relating to this site? We figured that since he had already been there  we wouldn't do anymore damage by going there again - which we did - the site does some WEIRD things - redirects etc - and culminates with the local system asking permission to replace a file (which we declined).

I've scanned with Spy-bot and Adaware (both -ve) - and can't see anything on www.sarc.com.

Anyone got any knowledge on this site?

PS: Be very cautious about going there!!!

Cheers,

Mav
-----------------

Hello,

Do you know that you identity was stolen? Lots of people suffer from identity theft. But they don’t care of their credit history until it becomes too late.

It is evident that your identity had already been stolen and fraudulently used. We strongly encourage you to take all of the appropriate steps in order to safely recover from this unfortunate situation. Please never let your identity be stolen again!

It is strongly recommended that you visit http://www.d-reports.org and learn the steps that will help you recover from this stressful matter.

Our organization is founded in 2002. Our aim is to track and fight identity theft. It is obvious that your identity was stolen. Not only can mother maiden names be read from stolen identities, but even e-mail addresses are sometimes read there. Be careful in future!

D-Reports & Associates
http://www.d-reports.org

0
Comment
Question by:The_Maverick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 2

Author Comment

by:The_Maverick
ID: 11867201
Additional Info ...

As a precaution I've installed SP2 for WinXP on this PC - and immediately following the reboot we got a security alert saying that the WinXP firewall has blocked access to Njdjfc32 (in the C:\Windows\System32 folder) - with a message to the effect that this file was "listening for incoming data from the internet".

A quick "properties" on this file tells me that it was created at the time of the PCs last boot - several references to it in the registry, but nothing I understood.
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 11867393
Further update ...

This does indeed appear to be a new virus. WinXP SP2 Firewall stops it listening to the outside world - if you delete it it reappears under a different name - it appears to shut down Task Manager after a period of time.

Removing it appears to be simple - just check your startup folder off the start button - this PC had the entry Server[1]

Hope this helps someone.

I'll give the points to the first person who can post some more in-depth info about it.

Cheers,

Mav.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11873180
Let me do some checking... based on what I see with the information provided here and some preliminary stuff, this appears to be of "malicious" intent...
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 8

Expert Comment

by:RevelationCS
ID: 11873582
doing some additional checking, and I would say that this is most likely malicious, though I have not been able to find anything as of yet. Adaware and Spybot S&D have turned up nothing, running two different virus scanners atm. Noticed with a netstat that I have a slew of new entries in there since I rebooted my pc after clicking the link (yes, I am a curious SOB when it comes to stuff like this ;) ). The new entries are as follows:

  TCP    Computer:1107           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:1108           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:kpop           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:1110           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1146           66.35.253.32:http      TIME_WAIT
  TCP    Computer:1156           66.35.253.32:http      ESTABLISHED
  TCP    Computer:1157           66.35.253.32:http      ESTABLISHED
  TCP    Computer:1164           a168-215-49-30.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1165           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1166           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1167           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED

A whois turns up the following:

66.35.253.32
Record Type:   IP Address
 
OrgName:    Cable & Wireless
OrgID:      EXCW
Address:    3300 Regency Pkwy
City:       Cary
StateProv:  NC
PostalCode: 27511
Country:    US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   66.35.192.0 - 66.35.255.255
CIDR:       66.35.192.0/18
NetName:    SC8-2
NetHandle:  NET-66-35-192-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:    * Rwhois reassignment information for this block is available at:
Comment:    * rwhois.exodus.net 4321
Comment:    * For abuse please contact abuse@exodus.net
RegDate:    
Updated:    2004-05-05

TechHandle: ZC221-ARIN
TechName:   Cable & Wireless
TechPhone:  +1-919-465-4023
TechEmail:  ip@gnoc.cw.net

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-877-393-7878
OrgAbuseEmail:  abuse@savvis.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-800-213-5127
OrgNOCEmail:  ipnoc@savvis.net

OrgTechHandle: EIAA-ARIN
OrgTechName:   Exodus IP Address Administration
OrgTechPhone:  +1-888-239-6387
OrgTechEmail:  ipaddressadmin@exodus.net

OrgTechHandle: GIAA-ARIN
OrgTechName:   Global IP Address Administration
OrgTechPhone:  +1-919-465-4096
OrgTechEmail:  ip@gnoc.cw.net

*******************************************

168.215.49.30
Record Type:   IP Address

 
 

 
OrgName:    Time Warner Telecom
OrgID:      TWTC
Address:    10475 Park Meadows Drive
City:       Littleton
StateProv:  CO
PostalCode: 80124
Country:    US

ReferralServer: rwhois://rwhois.twtelecom.net:4321

NetRange:   168.215.0.0 - 168.215.255.255
CIDR:       168.215.0.0/16
NetName:    TWTELECOM-COM
NetHandle:  NET-168-215-0-0-1
Parent:     NET-168-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.MILW.TWTELECOM.NET
NameServer: NS1.IPLT.TWTELECOM.NET
NameServer: NS1.ORNG.TWTELECOM.NET
Comment:    
RegDate:    2000-11-28
Updated:    2001-09-26

TechHandle: ZT87-ARIN
TechName:   Time Warner Telecom
TechPhone:  +1-800-898-6473
TechEmail:  ipmanager@twtelecom.net

OrgAbuseHandle: TWTAD-ARIN
OrgAbuseName:   Time Warner Telecom Abuse Desk
OrgAbusePhone:  +1-800-898-6473
OrgAbuseEmail:  abuse@twtelecom.net

OrgNOCHandle: TDN1-ARIN
OrgNOCName:   TWTC Data NOC
OrgNOCPhone:  +1-800-898-6473
OrgNOCEmail:  support@twtelecom.net

OrgTechHandle: NST12-ARIN
OrgTechName:   NOC SWIP Team
OrgTechPhone:  +1-800-898-6473
OrgTechEmail:  swip@twtelecom.com

**********************************

Registrant: Make this info private
   duke, raul  
   (38210886P)  
   637 Upton Street
   Redwood City, CA 94061  
   US  
   Phone: 650-255-5806  
     
   Domain Name: D-REPORTS.ORG  
 
   Administrative Contact , Technical Contact :    
   duke, raul  
   (38210886P)  
   m_phaneuf991@hotmail.com  
   637 Upton Street
   Redwood City, CA 94061  
   US  
   Phone: 650-255-5806  
     
   Record expires on 29-Jul-2005  
   Record created on 29-Jul-2004  
   Database last updated on 29-Jul-2004  
 
   Domain servers in listed order: Manage DNS  
 
   NS1.NO-IP.COM  216.66.37.10    
   NS2.NO-IP.COM  64.156.198.160    
   NS3.NO-IP.COM  64.156.198.151    
   NS4.NO-IP.COM  64.39.31.103    
   NS5.NO-IP.COM  212.100.249.200    
     
     Show underlying registry data for this record  
     
 

IP Address: 81.208.38.3  (ARIN & RIPE IP search)  
IP Location: IT(ITALY)  
DMOZ  no listings  
Y! Directory:  see listings  
Data as of: 08-Jun-2004  

*****************************************

The server "hosting" this domain is listed as out of the country, though the registrant claims a CA address, which I would tend to see as suspicious. I will keep digging, and post the results of the other scans I will be attempting in the next few minutes.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11874093
CWShredder - nothing found
Housecall - nothing found
Stinger - nothing found

Here is the HJT log, though I am not seeing anything off hand that I would think would be out of the ordinary...

Logfile of HijackThis v1.97.7
Scan saved at 2:19:22 PM, on 8/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Compaq\VCRepository\cpqsrhmo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\DMI\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
P:\NALDESK.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\BMC Software\BMCAIA_NT\bin\etescdlg.exe
C:\WINNT\system32\RUNDLL32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe
C:\Program Files\Network Associates\VirusScan\MCCONSOL.EXE
C:\Program Files\Network Associates\VirusScan\scan32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/en/home/us/enterprise.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.trendmicro.com/en/home/us/personal.htm"); (C:\Documents and Settings\Username\Application Data\Mozilla\Profiles\default\dzt1h9ne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Username\Application Data\Mozilla\Profiles\default\dzt1h9ne.slt\prefs.js)
O1 - Hosts: server-au.imrworldwide.com localhost
O1 - Hosts: server-uk.imrworldwide.com localhost
O1 - Hosts: server-dk.imrworldwide.com localhost
O1 - Hosts: server-fi.imrworldwide.com localhost
O1 - Hosts: server-us.imrworldwide.com localhost
O1 - Hosts: server-nz.imrworldwide.com localhost
O1 - Hosts: server-sg.imrworldwide.com localhost
O1 - Hosts: server-se.imrworldwide.com localhost
O1 - Hosts: server-no.imrworldwide.com localhost
O1 - Hosts: server-pl.imrworldwide.com localhost
O1 - Hosts: server-de.imrworldwide.com localhost
O1 - Hosts: server-by.imrworldwide.com localhost
O1 - Hosts: server-ee.imrworldwide.com localhost
O1 - Hosts: server-lv.imrworldwide.com localhost
O1 - Hosts: server-lt.imrworldwide.com localhost
O1 - Hosts: server-ru.imrworldwide.com localhost
O1 - Hosts: server-ua.imrworldwide.com localhost
O1 - Hosts: server-jp.imrworldwide.com localhost
O1 - Hosts: server-it.imrworldwide.com localhost
O1 - Hosts: server-br.imrworldwide.com localhost
O1 - Hosts: telstra.imrworldwide.com localhost
O1 - Hosts: ninemsn.imrworldwide.com localhost
O1 - Hosts: secure-au.imrworldwide.com localhost
O1 - Hosts: secure-us.imrworldwide.com localhost
O1 - Hosts: secure-uk.imrworldwide.com localhost
O1 - Hosts: secure-jp.imrworldwide.com localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TACMTRAY] D:\Program Files\BMC Software\BMCAIA_NT\bin\tacmtray.exe
O4 - HKLM\..\Run: [ETESCDLG] D:\Program Files\BMC Software\BMCAIA_NT\bin\etescdlg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - Startup: DBabble.lnk = C:\Program Files\DBabble\DBabble.exe
O4 - Global Startup: BOINC.lnk = D:\Program Files\BOINC\boinc_gui.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17a7823e2198b2c4f515/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.2534259259
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/hitthepros03/shockwave/wtinst.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab

0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11895795
further digging leads me to believe that this might be a worm.... I will post the article that leads me to believe this once I feel more confident in the response....
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11895899
try taking a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;836528

I believe this might be what is being passed. Because of my environment, I cannot be 100% certain as the page did not do everything that it was supposed to do, however, a scan with their checker determined that I had remnants of one of the worms listed here (to which I had not had prior to yesterday) and after downloading the util, I scanned as being clean. Still do not know why none of the scanners I used yesterday didn't pick it up...
0
 
LVL 8

Accepted Solution

by:
RevelationCS earned 500 total points
ID: 11895942
see also http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A

this is the latest variant of the mydoom virus and appears to be the likely culprit...
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 11921089
Thanks for all your efforts there - Symantec (eventually) confirmed it as a new virus, which we'd pretty much figures out ourselves - wonderful eh?
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question