Link to home
Start Free TrialLog in
Avatar of The_Maverick
The_Maverick

asked on

Any known security threats / issues with http://www.d-reports.org?

Hi,

One of my customers received the following and inadvertantly clicked on the hyper-link. Just wondering if anyone knows of any security scams relating to this site? We figured that since he had already been there  we wouldn't do anymore damage by going there again - which we did - the site does some WEIRD things - redirects etc - and culminates with the local system asking permission to replace a file (which we declined).

I've scanned with Spy-bot and Adaware (both -ve) - and can't see anything on www.sarc.com.

Anyone got any knowledge on this site?

PS: Be very cautious about going there!!!

Cheers,

Mav
-----------------

Hello,

Do you know that you identity was stolen? Lots of people suffer from identity theft. But they don’t care of their credit history until it becomes too late.

It is evident that your identity had already been stolen and fraudulently used. We strongly encourage you to take all of the appropriate steps in order to safely recover from this unfortunate situation. Please never let your identity be stolen again!

It is strongly recommended that you visit http://www.d-reports.org and learn the steps that will help you recover from this stressful matter.

Our organization is founded in 2002. Our aim is to track and fight identity theft. It is obvious that your identity was stolen. Not only can mother maiden names be read from stolen identities, but even e-mail addresses are sometimes read there. Be careful in future!

D-Reports & Associates
http://www.d-reports.org

Avatar of The_Maverick
The_Maverick

ASKER

Additional Info ...

As a precaution I've installed SP2 for WinXP on this PC - and immediately following the reboot we got a security alert saying that the WinXP firewall has blocked access to Njdjfc32 (in the C:\Windows\System32 folder) - with a message to the effect that this file was "listening for incoming data from the internet".

A quick "properties" on this file tells me that it was created at the time of the PCs last boot - several references to it in the registry, but nothing I understood.
Further update ...

This does indeed appear to be a new virus. WinXP SP2 Firewall stops it listening to the outside world - if you delete it it reappears under a different name - it appears to shut down Task Manager after a period of time.

Removing it appears to be simple - just check your startup folder off the start button - this PC had the entry Server[1]

Hope this helps someone.

I'll give the points to the first person who can post some more in-depth info about it.

Cheers,

Mav.
Let me do some checking... based on what I see with the information provided here and some preliminary stuff, this appears to be of "malicious" intent...
doing some additional checking, and I would say that this is most likely malicious, though I have not been able to find anything as of yet. Adaware and Spybot S&D have turned up nothing, running two different virus scanners atm. Noticed with a netstat that I have a slew of new entries in there since I rebooted my pc after clicking the link (yes, I am a curious SOB when it comes to stuff like this ;) ). The new entries are as follows:

  TCP    Computer:1107           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:1108           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:kpop           a168-215-49-39.deploy.akamaitechnologies.com:http  TIME_WAIT
  TCP    Computer:1110           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1146           66.35.253.32:http      TIME_WAIT
  TCP    Computer:1156           66.35.253.32:http      ESTABLISHED
  TCP    Computer:1157           66.35.253.32:http      ESTABLISHED
  TCP    Computer:1164           a168-215-49-30.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1165           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1166           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    Computer:1167           a168-215-49-39.deploy.akamaitechnologies.com:http  ESTABLISHED

A whois turns up the following:

66.35.253.32
Record Type:   IP Address
 
OrgName:    Cable & Wireless
OrgID:      EXCW
Address:    3300 Regency Pkwy
City:       Cary
StateProv:  NC
PostalCode: 27511
Country:    US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   66.35.192.0 - 66.35.255.255
CIDR:       66.35.192.0/18
NetName:    SC8-2
NetHandle:  NET-66-35-192-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:    * Rwhois reassignment information for this block is available at:
Comment:    * rwhois.exodus.net 4321
Comment:    * For abuse please contact abuse@exodus.net
RegDate:    
Updated:    2004-05-05

TechHandle: ZC221-ARIN
TechName:   Cable & Wireless
TechPhone:  +1-919-465-4023
TechEmail:  ip@gnoc.cw.net

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-877-393-7878
OrgAbuseEmail:  abuse@savvis.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-800-213-5127
OrgNOCEmail:  ipnoc@savvis.net

OrgTechHandle: EIAA-ARIN
OrgTechName:   Exodus IP Address Administration
OrgTechPhone:  +1-888-239-6387
OrgTechEmail:  ipaddressadmin@exodus.net

OrgTechHandle: GIAA-ARIN
OrgTechName:   Global IP Address Administration
OrgTechPhone:  +1-919-465-4096
OrgTechEmail:  ip@gnoc.cw.net

*******************************************

168.215.49.30
Record Type:   IP Address

 
 

 
OrgName:    Time Warner Telecom
OrgID:      TWTC
Address:    10475 Park Meadows Drive
City:       Littleton
StateProv:  CO
PostalCode: 80124
Country:    US

ReferralServer: rwhois://rwhois.twtelecom.net:4321

NetRange:   168.215.0.0 - 168.215.255.255
CIDR:       168.215.0.0/16
NetName:    TWTELECOM-COM
NetHandle:  NET-168-215-0-0-1
Parent:     NET-168-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.MILW.TWTELECOM.NET
NameServer: NS1.IPLT.TWTELECOM.NET
NameServer: NS1.ORNG.TWTELECOM.NET
Comment:    
RegDate:    2000-11-28
Updated:    2001-09-26

TechHandle: ZT87-ARIN
TechName:   Time Warner Telecom
TechPhone:  +1-800-898-6473
TechEmail:  ipmanager@twtelecom.net

OrgAbuseHandle: TWTAD-ARIN
OrgAbuseName:   Time Warner Telecom Abuse Desk
OrgAbusePhone:  +1-800-898-6473
OrgAbuseEmail:  abuse@twtelecom.net

OrgNOCHandle: TDN1-ARIN
OrgNOCName:   TWTC Data NOC
OrgNOCPhone:  +1-800-898-6473
OrgNOCEmail:  support@twtelecom.net

OrgTechHandle: NST12-ARIN
OrgTechName:   NOC SWIP Team
OrgTechPhone:  +1-800-898-6473
OrgTechEmail:  swip@twtelecom.com

**********************************

Registrant: Make this info private
   duke, raul  
   (38210886P)  
   637 Upton Street
   Redwood City, CA 94061  
   US  
   Phone: 650-255-5806  
     
   Domain Name: D-REPORTS.ORG  
 
   Administrative Contact , Technical Contact :    
   duke, raul  
   (38210886P)  
   m_phaneuf991@hotmail.com  
   637 Upton Street
   Redwood City, CA 94061  
   US  
   Phone: 650-255-5806  
     
   Record expires on 29-Jul-2005  
   Record created on 29-Jul-2004  
   Database last updated on 29-Jul-2004  
 
   Domain servers in listed order: Manage DNS  
 
   NS1.NO-IP.COM  216.66.37.10    
   NS2.NO-IP.COM  64.156.198.160    
   NS3.NO-IP.COM  64.156.198.151    
   NS4.NO-IP.COM  64.39.31.103    
   NS5.NO-IP.COM  212.100.249.200    
     
     Show underlying registry data for this record  
     
 

IP Address: 81.208.38.3  (ARIN & RIPE IP search)  
IP Location: IT(ITALY)  
DMOZ  no listings  
Y! Directory:  see listings  
Data as of: 08-Jun-2004  

*****************************************

The server "hosting" this domain is listed as out of the country, though the registrant claims a CA address, which I would tend to see as suspicious. I will keep digging, and post the results of the other scans I will be attempting in the next few minutes.
CWShredder - nothing found
Housecall - nothing found
Stinger - nothing found

Here is the HJT log, though I am not seeing anything off hand that I would think would be out of the ordinary...

Logfile of HijackThis v1.97.7
Scan saved at 2:19:22 PM, on 8/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Compaq\VCRepository\cpqsrhmo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\DMI\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
P:\NALDESK.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\BMC Software\BMCAIA_NT\bin\etescdlg.exe
C:\WINNT\system32\RUNDLL32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe
C:\Program Files\Network Associates\VirusScan\MCCONSOL.EXE
C:\Program Files\Network Associates\VirusScan\scan32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/en/home/us/enterprise.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.trendmicro.com/en/home/us/personal.htm"); (C:\Documents and Settings\Username\Application Data\Mozilla\Profiles\default\dzt1h9ne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Username\Application Data\Mozilla\Profiles\default\dzt1h9ne.slt\prefs.js)
O1 - Hosts: server-au.imrworldwide.com localhost
O1 - Hosts: server-uk.imrworldwide.com localhost
O1 - Hosts: server-dk.imrworldwide.com localhost
O1 - Hosts: server-fi.imrworldwide.com localhost
O1 - Hosts: server-us.imrworldwide.com localhost
O1 - Hosts: server-nz.imrworldwide.com localhost
O1 - Hosts: server-sg.imrworldwide.com localhost
O1 - Hosts: server-se.imrworldwide.com localhost
O1 - Hosts: server-no.imrworldwide.com localhost
O1 - Hosts: server-pl.imrworldwide.com localhost
O1 - Hosts: server-de.imrworldwide.com localhost
O1 - Hosts: server-by.imrworldwide.com localhost
O1 - Hosts: server-ee.imrworldwide.com localhost
O1 - Hosts: server-lv.imrworldwide.com localhost
O1 - Hosts: server-lt.imrworldwide.com localhost
O1 - Hosts: server-ru.imrworldwide.com localhost
O1 - Hosts: server-ua.imrworldwide.com localhost
O1 - Hosts: server-jp.imrworldwide.com localhost
O1 - Hosts: server-it.imrworldwide.com localhost
O1 - Hosts: server-br.imrworldwide.com localhost
O1 - Hosts: telstra.imrworldwide.com localhost
O1 - Hosts: ninemsn.imrworldwide.com localhost
O1 - Hosts: secure-au.imrworldwide.com localhost
O1 - Hosts: secure-us.imrworldwide.com localhost
O1 - Hosts: secure-uk.imrworldwide.com localhost
O1 - Hosts: secure-jp.imrworldwide.com localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TACMTRAY] D:\Program Files\BMC Software\BMCAIA_NT\bin\tacmtray.exe
O4 - HKLM\..\Run: [ETESCDLG] D:\Program Files\BMC Software\BMCAIA_NT\bin\etescdlg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - Startup: DBabble.lnk = C:\Program Files\DBabble\DBabble.exe
O4 - Global Startup: BOINC.lnk = D:\Program Files\BOINC\boinc_gui.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17a7823e2198b2c4f515/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.2534259259
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/hitthepros03/shockwave/wtinst.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab

further digging leads me to believe that this might be a worm.... I will post the article that leads me to believe this once I feel more confident in the response....
try taking a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;836528

I believe this might be what is being passed. Because of my environment, I cannot be 100% certain as the page did not do everything that it was supposed to do, however, a scan with their checker determined that I had remnants of one of the worms listed here (to which I had not had prior to yesterday) and after downloading the util, I scanned as being clean. Still do not know why none of the scanners I used yesterday didn't pick it up...
ASKER CERTIFIED SOLUTION
Avatar of RevelationCS
RevelationCS
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all your efforts there - Symantec (eventually) confirmed it as a new virus, which we'd pretty much figures out ourselves - wonderful eh?